Intercept X - Early Access Program Overview
Intercept X's Early Access Program offers advanced security solutions to combat active adversaries and advanced malware. The program covers deep learning techniques, false positive mitigations, and credential theft protection. It focuses on protecting against various threats such as credential theft, process privilege escalation, and registry manipulations. Learn how Intercept X can safeguard your systems from malicious activities.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Intercept X: Early Access Program July 2017 Karl Ackerman Principal Product Manager Endpoint Security Group June 2017
Agenda EAP Overview Adversary Techniques Coming Soon Active Adversary and Advanced Malware
Early Access Program July August Part II Deep Learning o Deep Learning Model - Detect malicious and potentially unwanted executables o False positive mitigations - Whitelisting o Directed Clean-up - Quarantine and restore capability Documents o Active Adversary Mitigations o Deep Learning explained o Intercept X Features explained Videos o Demonstrations of product in action Part I - Active Adversary o Credential theft protection o New process protection techniques - Code cave utilization - Malicious process migration - Process privilege escalation - APC protection (Atom bombing) o New registry protections - Sticky key protection - Application verifier protection o Improved process lockdown - Browser behaviour lockdown - HTA application lockdown 3
Intercept 2.0 - GA Q4 2017 Credential Theft Protection Active Adversary protections o Prevent dumping of credentials from memory o Protect the credential database on Disk and Registry o Code Cave prevention o Malicious Process Migration o Process privilege escalation o APC Filter (prevent Atom Bombing exploit variants) o Improved Application Lockdown - Powershell abuse from browsers - HTA apps Additional Registry Protections o Sticky Key Mitigation o Application Verifier Protection (Double Agent) 4
Agenda EAP Overview Adversary Techniques Coming Soon ACTIVE ADVERSARY
Credential Theft Protection Adversary is attempting to steal passwords o Impersonate the end user o Move laterally through the network o Establish persistence o Exfiltration of data available to the compromised account Multiple hacking/penetration tools available o Mimikatz, Hashdump o Adversary can steal password hashes and crack them on-line o Adversary can extract clear text PWs from memory Target the technique not the tool o Protect LSASS runtime memory o Protect SAM DB Registry o Protect Disk sectors with hash informaiton 6
Process Protection Malicious Process Migration Adversary has compromised the device o Process migration allows the adversary to move from one compromised process to another o Maintains connection even when user terminates the browser session Common practice in penetration and hacking o Basic capability in Metasploit and other pen test tools o Typically leverages DLL injection exploits Target the technique not the tools o Detect unauthorized process migration 7
Process Protection Process Privilege Escalation Adversary has compromised the device o Escalation of a process privilege or changing process owner o Gain access to restricted files/folder or devices Multiple Kernel vulnerabilities o Allow process ticket theft and reuse o Easily run from scripts in penetration test tools o Often just a step in a process to reach a more sophisticated objective Target the technique not the tools o Detect kernel token theft and reuse 8
Process Protection APC violation New exploit techniques o Leverages malicious Asynchronous Procedure Calls o Develop a worm to propagate between unprotected machines o Exploit vulnerability to run arbitrary code Multiple hacking/penetration tools available o Fully weaponized by criminal syndicates o Available in multiple exploit kits o WanaCry and Petya ransom attacks Target the technique not the tools o Detect utilization of code caves 9
Process Protection Registry Protection Modification of Registry to run arbitrary code o Uses legitimate registry options to launch code o Application Verifier registry option o Sticky key attack (Old skool) o Often used to establish persistance Well documented and easy to use o Simple registry modifications are easily deployed on compromised machines o Tools to make it even easier are online Target the technique not the tools o Prevent arbitrary code launch via common registry modification tecniques 10
Process Protection Process Lockdown Adversary uses legitimate capabilities for malicious intent o NO MALWARE needed in the attack o Live off the land attacks leverage existing system features Commonly used on locked down systems o Extremely common ie (Enable Macros) o Trick user to allow risky behavior Target the known malicious behaviors o Extending an existing feature in intercept X o Prevent malicious launch of powershell from browser o Enforce browser lockdown feature to HTML applications run through the browser 11
Agenda EAP Overview Adversary Techniques Coming Soon ADVANCED MALWARE
Invincea Machine Learning Experts Created by the data scientists at Invincea with DARPA driven technology Patented Deep Learning neural networks trained on 50+ million samples (and counting) which can also automatically learn to extract the Features that provide optimal detection Stops unknown malware without signatures Some of the highest performance scores ever seen in third party testing with lowest FP s in class Detects and stops threats within 20 milliseconds Deep Learning Detection Engine