Check Point SandBlast Zero-Day Protection

White Paper

CHECK POINT SANDBLAST

ZERO-DAY PROTECTION: THE BEST
PROTECTION AT EVERY LEVEL

THE RISE OF KNOWN AND UNKNOWN MALWARE

UNKNOWN
MALWARE
DOWNLOADS
JUMPED FROM
2.2 PER HOUR
IN 2013
TO 106 PER HOUR
IN 2014

Malware. Its a term that is getting a lot of attention in todays connected world from
reporters, business owners, and IT experts. In the network security world, malware is
malicious software that falls into one of these categories: adware, spyware, virus,
worm, Trojan, rootkit, backdoors, keyloggers, ransomware, and browser hijackers.
1
While different types of malware affect systems differently , they often share common
objectives, whether that is to steal sensitive data, gain access to unauthorized
applications or privileges, and/or disrupt business.
In early 2014, news organizations around the world hailed 2013 as the Year of
Breaches. That was until 2014 came to a close. According to a January 2015 report
2
from AV-Test , an independent IT security research firm, malware incidents increased
72% between 2013 and 2014. More malware was found in the past two years than in
3
the previous 10 years combined.
Malware complexity is increasing as cybercriminals refine their intrusion techniques,
masking malware signatures and varying attack methods. Hardest to stop are what we
call zero-day attacks, which exploit previously unknown vulnerabilities, as well as new
variants of existing malware that have not yet been seen. Because antiviruses
typically do not recognize nor catch new or unknown malware, this malware often
bypasses even the most up-to-date antivirus and intrusion prevention protections.
According to the 2015 Check Point Annual Security Report, the rate of unknown
4
malware downloads jumped from 2.2 per hour in 2013 to 106 per hour in 2014 .

SECURITY APPROACHES TO ZERO-DAY ATTACKS

5

According to Internet Live Stats, more than 2.4 million emails are sent every second.
6
In the first 3 months of 2015 alone, about 59.2% of these emails were spam. With
email attachments becoming the preferred method to transfer files, and the false belief
many hold that email attachments from known senders in their inbox are safe to open
makes the inbox a prime target for attacks. The old prescription for scanning email
used to be: install a good antivirus program, keep it up to date, and avoid suspicious looking files and sites. Unfortunately, that sage advice in todays world is necessary
but not sufficientto protect against modern malware.

2015 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non -confidential content
October 26, 2015

Check Point SandBlast Zero-Day Protection

White Paper

Malware can hide in executables, in regular documents, and in web pages. The
dangers of attacks embedded in executable have been well publicized for many years.
Because of this awareness, the majority of users delete emails with executable
attachments. In addition, many organizations have network security policies that strip
executable attachments from emails. The latest attacks are through seemingly safe
documents, containing active elements such as macros, dynamic objects and scripts,
making them much more likely to be opened. Therefore, documents now pose one
of the greatest risks to organizations today.

DOCUMENTS NOW
POSE ONE OF THE
GREATEST RISKS TO
ORGANIZATIONS
TODAY

In 2014, 86% of organizations accessed a malicious website and 63% of organizations

7
downloaded a malicious file. From human resources to purchasing and beyond,
employees must routinely open documents from job applicants, customers, and
vendors; and risk exposing their companies to malware embedded inside them.
Sandboxing is a commonly used method for catching these newer malware types.
Sandboxes pre-screen files before they enter your network by emulating a standard
operating system (OS) in a restricted environmentsafely isolated from your
production network. Stimulating an untested file in various ways, as if an actual user
opened it, the system then monitors for behavior beyond what is normally expected.
By combining up-to-date antivirus, along with behavioral analysis and static analysis,
sandboxing provides solid protection against potentially malicious executables. The
traditional sandbox performs the behavioral analysis as a run-time test while the static
analysis deep scans the code constructs within the executable.
Key factors to consider in selecting a good sandbox include:
Detection and blocking of attacks
Evasion resistance
Fast and accurate detection
Support common file types
Support web objects such as Flash
Scanning the widest array of file types (.doc, .xls, .ppt, .pdf, .exe, .zip, .rar, etc.)
including archive files, increases a security layers malicious content catch rate. If your
current sandbox solution only addresses a limited set of file types, you are potentially
at risk, because cybercriminals embed malware into all types of transport files. When
complemented with a mail transfer agent (MTA), the threat prevention process holds,
and even modifies the email in transit, until sandboxing is complete. Thus it prevents
malware from crossing the network boundary, and ever reaching the end -user.

2015 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non -confidential content
October 26, 2015

Check Point SandBlast Zero-Day Protection

White Paper

Inspecting files and clearing them before they enter into a network should be a best
practice, but is actually relatively recent. Ease of implementation and minimal impact
on the user experience; have made sandbox technologies popular among many
companies, with more and more considering adding it to their future security
strategies. As sandboxing solutions are deployed more widely, cybercriminals
continue to develop evasion techniques, sometimes simple and other times intricate,
to prevent their malware from being detected. Today, the some of the more common
8
sandbox bypassing techniques include :

DOES YOUR
SANDBOX:
Detect AND block attacks?
Have advanced capabilities such as
evasion-resistant protection?
Provide fast and accurate detection?
Support inspection of a wide range of
file types, including archive files?
Support web objects such as Flash?

Delayed launch where the payload has a timer that prevents start of the actual
malicious code for minutes/hours from initial opening of the file
Identifying the sandbox by looking for virtual machine indicators, such as
scanning registry keys, running processes, or disk size, and not deploying except
on physical devices
Checking for human interaction activities such as page scrolling, mouse clicks,
mouse movement that are difficult to replicate in a virtual environment
Sandboxing vendors are constantly creating new ways to prevent the latest evasions
from being successful and to block the malware from entering the network. However,
protections against evasion techniques are still often detectable by the malware and
the battle to stay ahead of hackers continues. Once the cybercriminals know that they
are being watched, no matter how good the traditional sandboxing technology is
there are even smarter cybercriminals working to evade it. Therefore, an even more
advanced approach to threat defense is needed.

ANATOMY OF A NON-EXECUTABLE MALWARE ATTACK

Non-executable malware attacks are one of the most effective attack vectors available
to cybercriminals because many companies restrict the download of executable files.
However, documents such as Microsoft Word, PowerPoint, or Adobe PDF, constantly
enter and leave organizations. These formats support dynamic content such as
macros and embedded scripts, which can be leveraged to exploit known
vulnerabilities. Many targeted and advanced attacks begin with spear phishing to trick
the victim into opening a seemingly legitimate document, which then infects the
system, and possibly the entire network. As a result, its critical to defend against
attacks that can be introduced by non-executables.
There are thousands of vulnerabilities found in computer system softwaremany with
patches released, but not always applied to all systems. And, there are millions of
malware variants that are activated from the starting point of these vulnerabilities. The
U.S. Air Force defines vulnerabilities in their Three Tenants of Cyber Security
analysis: the intersection of three elements: a system susceptibility or flaw, attacker
9
access to the flaw, and attacker capability to exploit the flaw. With this definition in
mind, a typical malware attack involves four stages:
Finding a vulnerability: Every attack begins by finding one or more
vulnerabilities, either in the operating system code or in a popular application
such as a browser or a PDF reader. Using those vulnerabilities, cybercriminals
have a way to trigger an attack.

2015 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non -confidential content
October 26, 2015

Check Point SandBlast Zero-Day Protection

White Paper

Using an exploit method: Exploits allow the attackers injected logic to

manipulate the target system and run malicious code. This requires overcoming
the built-in security controls implemented by the OS and the CPU, such as Data
Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
Only a handful of exploitation methods exist, and new ones surface very rarely.
Running a shellcode: A shellcode is a small payload, typically embedded in the
file or web page which started the attack. Responsible for retrieving the actual
malware, the shellcode then places it on the infected system.
Running the malware: Complete the infection by running the malware. It is at
this step where evasion techniques are able to be run, preventing the malware
from deploying fully in the sandbox.

Advanced sandboxing with CPU-level inspection capabilities detects these exploit

methods by carefully examining CPU activity and the execution flow. This inspection is
done at the assembly code level where the exploit occurs making it virtually
impossible for hackers to evade detection. Attackers dont have a chance to deploy
any evasion tactics. Speed and accuracy makes CPU-level sandboxing the best
technology to detect unknown threats, including even zero-day attacks.

CHECK POINT SANDBLAST ZERO-DAY PROTECTION

Organizations not only require an advanced solution against threats, they also need a
simple, fast, and fool-proof method of protection. Malware should be eliminated before
it ever has the opportunity to reach employees. Check Point SandBlast Zero-Day
Protection does just this by eliminating threats using two innovative technologies:
Advanced sandboxing with deep CPU-level and OS-level inspection, stopping
hackers from evading detection and providing the highest catch rate for malware
Threat Extraction to promptly deliver safe content by providing a reconstructed
copy of incoming documents
Deep CPU-level sandboxing detects infection in data files at the exploit phase, while
the OS-level inspection detects attacks in both executable and data files alike.
Together they deliver the highest catch rate for threats. Threat Extraction capabilities
within SandBlast provide immediate protection against zero-day attacks by promptly
delivering safe reconstructed copies of incoming documents, while sandboxing can be
completed in the background.

2015 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non -confidential content
October 26, 2015

Check Point SandBlast Zero-Day Protection

White Paper

HIGHEST CATCH RATE

Check Point SandBlast Zero-Day Protection has the highest catch rate of malware. To
10
evaluate efficacy and speed, Check Point conducted two testsZero Second and
11
Unknown 300 Comparison. These tests stacked Check Point the OS-level Threat
Emulation capability within SandBlast Zero-Day Protection against OS-level sandbox
offerings from other vendors, to determine (a) what percentage of unknown malware
detected; and (b) how long it took. The results:

MIERCOM TESTING
SHOWED THAT
CHECK POINT
OS-LEVEL THREAT
EMULATION WAS
ABLE TO IDENTIFY
MALWARE AND
UPDATE
SIGNATURES IN
APPROXIMATELY
3 MINUTES

Check Point SandBlast OS-level Threat Emulation completed in four minutes with the
best catch rate of unknown malware
Other vendors ranged from eight minutes up to nineteen minutes to complete
sandboxing. Their catch rate ranged from 27% to 70% of the unknown malware samples.
An industry assessment from Miercom on Advanced Persistent Threats (APTs) in
12
2014 found similar results.

Although the conclusion of the evaluations showed that Check Point traditional
OS-level sandbox techniques were the best, this is a cat-and-mouse game with
cybercriminals. No matter how good the traditional sandboxing technology, a smart
cybercriminal will find some innovative way to bypass it. To counter such attacks,
Check Point SandBlast Zero-Day Protection introduces CPU-level detection for
maximum evasion resistance.

2015 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non -confidential content
October 26, 2015

Check Point SandBlast Zero-Day Protection

White Paper

SUMMARY: THE BEST PROTECTION AT EVERY LEVEL

Total protection requires more than even next generation firewalls and antivirus. With
cybercriminals devising new ways to attack your systems and network, you need a
solution that identifies known, unknown, and zero-day threatsall while delivering
safe documents to your employees in a timely manner.

The pioneer of Internet Security, Check Point innovates again with SandBlast
Zero-Day Protection, introducing evasion resistant CPU-level detection alongside the
industrys best OS-level sandboxing, and combining it with Threat Extraction into an
integrated solution.
The core capabilities of SandBlast include:
Threat Extraction converts reconstructed files to PDF for best security, or keeps original
format removing active content such as macros and scripts
Deep malware inspection at the CPU-level, identifies exploits before they can hide
Additional sandboxing techniques protect a full range of documents and file-types
Works with existing infrastructure, reducing the need to install new equipment

FOR MORE
INFORMATION ON
CHECK POINT
SANDBLAST, PLEASE
CLICK HERE

Integrated prevention and security management for complete threat visibility

Automatic sharing of new attack information with Check Point ThreatCloud to block
additional occurrences of similar threats at the gateway
Its time to take threat defense to the next level and protect your business from attacks
with a combination of the fastest operating solution with the highest malware catch
rate. With our SandBlast Zero-Day Protection Solution, your business receives
maximum protection promptlywith no disruption to productivity.

2015 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non -confidential content
October 26, 2015

Check Point SandBlast Zero-Day Protection

White Paper

REFERENCES:
1
2
3
4

The Truth About Malware. http://www.malwaretruth.com/the-list-of-malware-types/

AV-Test. https://www.av-test.org/en/statistics/malware/
AV-Test. https://www.av-test.org/en/statistics/malware/
Check Point Software Technologies. 2015 Check Point Security Report, 2015.
www.checkpoint.com/resources/2015securityreport/

Internet Live Stats. http://www.internetlivestats.com/one-second/#email-band

Ilyin, Yuri. Spam and Phishing in Q1, 2015: Banks and Banking Trojans, Kaspersky Lab
Business, June 24, 2015. https://business.kaspersky.com/spam-and-phishing-in-q1-2015banks-and-banking-trojans/4113/

Check Point Software Technologies. 2015 Check Point Security Report, 2015.
www.checkpoint.com/resources/2015securityreport/

Calhoun, Pat. A Glimpse at the Latest Sandbox Evasion Techniques, Security Week, January
15, 2015. http://www.securityweek.com/glimpse-latest-sandbox-evasion-techniques

The Three Tenants of Cyber Security. http://www.spi.dod.mil/tenets.htm

10

Check Point Software Technologies. Zero Second Test, 2014.

http://www.checkpoint.com/campaigns/zerosecond/zero_second_white_paper.pdf

11

Check Point Software Technologies. Unknown 300, 2014.

http://www.checkpoint.com/resources/300/

12

Miercom. Advanced Threat Prevention with Sandbox Analysis, October, 2014.

http://www.checkpoint.com/resources/miercom-report/full-miercom-report.pdf

2015 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non -confidential content
October 26, 2015