About Peter Elmer: Listening to customers for more than thirty years, I focus on finding the right solution for network and endpoint related security challenges. Being part of the Check Point Security Experts team, I accompany customers and Check Point partners across EMEA creating layered security architecture for their defense. In my role as a member of Office of the CTO, I am sharing Cyber Security best practices and innovations with customers and partners. Living in Italy since more than fifteen years, I appreciate coffee and the culture of architecture and art. When travelling I like exploring local dishes and feel privileged learning from people I am meeting.

Selecting an effective solution for zero-day attack threat prevention is a complex task. Customers are seeking the most effective solution in order to gain the most value for their investment. In the interview below, you’ll get information about how to find direction during the security vendor selection process.

First, what is a zero-day attack?

A zero-day attack refers to a situation where vulnerabilities exist and are discovered and exploited on ‘day zero’, as soon as they’re found. An attacker utilizes a given vulnerability on this ‘day zero’, while no signature-based solution can prevent this attack. A zero-day prevention solution uses machine learning algorithms and sandboxing to help mitigate risks.

Tell us about preventing the unknown by attributing components:

While sandboxing unknown files (seen at ‘day zero’) the machine learning logic powering modern solutions attributes file components and classifies their behavior. Classifying malware to campaigns and understanding similarities allows the application of more effective defense methods.

How can IT admins better understand the impact of malware?

Check Point Zero-Day Prevention documents malware characteristics according to the MITRE ATT&CK Matrix. This allows individuals to understand the impact of the attack and to execute relevant remediation steps. In addition, the Zero-Day Protection solution is attributing malware to families, allowing customers to take efficient actions.

How can IT admins better understand a given attack’s technique?

Understanding the attack technique is vital in order to understand the impact of the attack. On the MITRE ATT&CK Matrix website, customers can learn about the different techniques used in the various stages of an attack.

What can decision-makers refer to when evaluating different zero-day threat prevention vendors?

In order to compare different vendors in the cyber security market, decision makers are encouraged to reach out to independent sources. In the past, the NSS Labs used to be a good source of information and reading their latest reports is still helpful.

Now (June 2021), MITRE Engenuity is considered an objective reference that publishes information about threat prevention solutions at their ATT&CK Evaluations website. Here, decision makers learn about the ability of vendors to identify the technique used by malware, documented in the ‘Analytic Coverage’ section on the website.

What about requesting statistics?

Decision makers should request detailed statistics about attacks and malware observed over a dedicated period. As attacks are evolving, reports must provide a time stamp in order to allocate the data into a time context. Without a time context, the data presented is not relevant, as it may refer to past attack types. In addition, attacks vary by region and vertical market segment and hence reports must be set into geographical context. Some attack scenarios occur more often in some regions than in others. Some vertical markets may receive more attacks than others.

The table below provides statistics collected by Check Point Research about the top MITRE techniques observed over the last 30 days prior to the 4th of June 2021 on a global basis, with a focus on Europe.

Peter Elmer, Graphic

The table shows that attacks using API calls are leading the pack, and that more than half of malware attacks are focused evading sandboxing. This allows customers taking actions to look for security solutions for API-based processes.

The table further indicates that decision-makers should interrogate vendors about the architecture used on their sandboxing systems in order to evaluate the robustness against evasion techniques. Some vendors may share detailed statistics under a Non-Discloser Agreement in order to avoid making the life of an attacker easier. General architecture elements of the sandboxing environment may be shared more openly, such as the use of machine learning components.

How important is a vendor’s engagement in Threat Research?

Threat research is a dedicated area of competence. Decision makers may want to inquire about how rigorous the vendor is when it comes to security research (for example Check Point Research). They should understand the ratio of employees engaged in research and development versus employees in sales and marketing roles by reading the financial reports published on the vendors’ website (example Form 20-F Check Point Software Technologies Ltd. 2020)

How important is machine learning – data driven security?

Data-driven security is key for successful threat prevention. Machine learning models require that data is accurately labeled in order to be effective. A vendor, such as Check Point Software Technologies, has more than 27 years of experience and uses a 300,000 dimensional space to attribute malware to campaigns. Campaign detection allows optimizing resources for understanding the malware’s intent. Reducing resources leads to faster response time, thus providing business continuity.  Additional security functionalities, such as extracting potential malicious content ‘on the fly’ from documents downloaded or received by email, contribute significantly to maintaining business processes ‘at the speed of the network’.

Is ‘one big machine learning logic’ used to find the malware?

The machine learning modules used in the Check Point Zero-Day Protection solution are constructed of multiple dedicated modules for executable file types and office file types. The modules are working in two phases: in a first phase, files are analyzed and meta data is created. In the second phase, the final verdict is achieved by classifying these meta data in other dedicated machine learning modules.

What is the take-away message here?

Preventing zero-day attacks is not magic that happens by accident. It is the result of humans driving machine learning models in a continuous learning cycle. We must be committed to research about attack-related information and leading the way to prevention and remediation activities. Through these efforts, this world is be made a bit safer every day.