PowerPoint Presentation - PDF Free Download

변화하는위협에대응하는이메일보안 2018/1/24

79% 랜섬웨어공격은피싱이메일을사용 Attacker sends email First user opens phishing email (average time) 1 First user opens email attachment 1 45 seconds to entirely encrypt an endpoint 2 2 00:00 01:00 02:00 03:00 04:00 Minutes 1. Verizon 2016 Data Breach Investigations 2. Teslacript 3.0

Business Email Compromise (BEC, 비즈니스이메일위협 ) 공격 CEO Fraud 공급자사기 글로벌 $5B 가치의손실 사기건당평균 $132,000 손실 계정손상 Difficult to detect no attachment/url 3

조직내부의공격자 : 신뢰할수있는사용자의내부피싱이메일 Employee A 손상된장치또는이메일자격증명 Malware BEC/Fraud Employee B 이메일게이트웨이보안은내부메일을볼수없다! 4

피싱공격이 #1 보안이슈 Phishing 상위 5 관심사는모두이메일과관련 Targeted attacks Compliance Advanced Threat Ransomware 5 Cloud services Source: Black Hat Survey, July 2017

사용자행위 : 이메일첨부파일 클라우드파일공유 이메일게이트웨이보안은이미클라우드에업로드된파일을볼수없다! 6

Office 365 에포함된보안기능을보완하게되는이유는? Exchange Online is designed and SLA backed to catch 100% known malware But since 90% malware infects only 1 device, Only 10% malware is known. Every customer needs a strategy to deal with unknown malware at the email layer E5/ATP adds sandboxing but misses significant amount of unknown malware and lacks BEC/fraud detection Office 365 popularity makes it worthwhile and easy for attackers to QA test their attacks on Office 365 If you bought a new home with a smoke detector guaranteed to detect 10% of fires would you supplement it? 7

규정준수및개인정보를유지할필요 많은데이터누출이잘못된첨부파일또는잘못된수신자에의하여발생 GDPR, PCI, HIPAA 또는기타규정을준수해야할필요 고객은비즈니스요구사항에대한복잡성이나간섭이없이보호받기를원함 8

Protect 9

LEGEND SMART: 이메일을보호하기위한계층적방어 Known Good Known Bad Unknown Sender Authentication & Reputation Spam Content Analysis & Correlation Attachment Filtering & Content Filtering Anti-Malware & URL Reputation Machine Learning (Anti-Malware) Machine Learning & Expert Sys (Fraud/BEC) NEW! Document Exploit Detection / Macro Analysis Safe emails allowed Sandbox Analysis Real-time URL Analysis at Click Time Malicious emails blocked 10

첨부파일필터링정책 악성코드가사용할가능성이있는첨부파일타입을악성유무와관계없이차단.EXE,.DLL,.JS,.JSE,.VBS,.VBE,.WSH,.PS 등 11

알려지지않은악성코드의탐지 Pre-execution machine learning 수천개의파일기능과기계학습모델을사용하여악성파일을예측탐지. 샌드박스이전에알수없는악성코드를찾아이메일배달효율성을향상 Document Exploit Detection 파일을구문분석하여의도한애플리케이션에대한알려진악성및잠재적악성코드를탐지. 현장에서새로운제로데이익스플로잇을탐지하는기술 Sandbox analysis 병렬로멀티 OS 를사용한행위분석. 수분내에행위분석을완료 12

악성 URL 방어 Hundreds of millions of sensors 2 trillion threat queries yearly Correlates files, IPs, URLs, vulnerabilities, and more Blocks 250M threats daily URL 평판조회 실시간 URL 분석 Internet Email Gateway SaaS 기반메일보안 URL rewritten 배달전대부분의공격을차단 사용자가링크를클릭시간지연을통한공격을차단 13

Intention Behavior A.I. 기반의사기이메일 (BEC) 탐지 : 보안전문가의분석판단모델을대입 Routing behavior Cousin domain High-profile user similarity 규칙가중치및상관관계 보다정확한식별 Payment, PII Urgency

클라우드파일공유에대한악성코드방어 Problem: Cloud file services include only basic AV - misses unknown malware. Network Breach Detection Systems don t see traffic between off-network devices and SaaS services Trend Micro prevents threats from spreading in OneDrive, SharePoint, Box, Dropbox, Google Drive: Advanced threat scanning Machine-learning based antimalware Document exploit detection URL analysis Sandbox analysis On-demand scan to discover existing threats 15

조직내부에서미리공격을감지 메일서버자체의악성탐지솔루션적용 내부이메일에서사기위협을검사 디렉토리그룹별세부정책 조치 : 태그 (warning), 삭제, 격리 Employee A compromised device or email credentials Malware/Fraud Employee B 16

Office 365 보안솔루션을이용한악성파일검색및삭제 Office 365 Security Office 365 사서함또는파일공유의첨부파일들을검색하고삭제하는솔루션적용 17

Exchange/Domino 사서함내의파일검색및삭제 Trend Micro ScanMail Allows you to search and delete 18

Business Email Compromise/Fraud Protection 19

교육에도불구하고, 사용자는 Fake 이메일을판별하지못함 Fraud B Content word count: 37 97% 의사용자가정교한피싱메일을식별할수없다. - Inspired elearning July 2017

보안전문가만이이를식별할수있다면? Fraud B Content word count: 37

보안전문가는행위와의도두가지측면에서조사 B Mail Header Behavior Mail Content Intention Content word count: 37 22

Mail Header 해커행동특성 Received: from p3plwbeout05-06.prod.phx3.secureserver.net (p3plsmtp05-06-02.prod.phx3.secureserver.net [97.74.135.51]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by itf-01.company.com (Postfix) with ESMTPS id E0B9815FC65 for <Sandra_Finance@company.com>; Mon, 1 Aug 2016 05:47:42 +0000 (UTC) Received: from localhost ([97.74.135.4]) by p3plwbeout05-06.prod.phx3.secureserver.net with bizsmtp id Rhni1t00205rkER01hniYP; Sun, 25 Jul 2016 20:17:32-0700 X-CMAE: v=2.1 cv=l/atqoj8 c=1 sm=1 tr=0 p=i-petxfovf8a:10 a=gljzh28+bkptlj+hejpmag==:117 a=gljzh28+bkptlj+hejpmag==:17 a=l9h7d07yolsa:10 a=9cw_t1ccxrua:10 불안전한이메일공급자! a=s5jvgz67dgca:10 a=wja2bgnzfmma:10 a=a7pwo9xp048a:10 a=ikctkhd0fzma:10 a=7z1cn_iqozsa:10 a=xrinti-inqa6s2tnsgua:9 a=h8oodqkaz7yfceec:21 a=qexddo2ut3ya:10 a=_w_s_7vecoqa:10 Message-Id: <08924520399f2e65d9e0753294fa8fa4@email05.secureserver.net> User-Agent: Workspace Webmail 6.4.2 X-Domain: entraser.com X-SID: Rhni1t00205rkER01 Received: (qmail 15064 invoked by uid 99); 1 Aug 2016 05:47:42-0000 Content-Transfer-Encoding: quoted-printable! 위조된폼 : domain From: "Wilson Ceo" <wilson_ceo@compony.com> To: Sandra_Finance@company.com Content-Type: text/html; charset="utf-8" X-Originating-IP: 154.118.71.165 Subject: URGENT X-Sender: amina@entraser.com! 참조주소를프리이메일로변경 Reply-To: "Wilson Ceo" <emailpresident2@gmail.com> Date: Sun, 31 Jul 2016 22:47:40-0700 23

Mail Content 이메일의도특성 재정적인정보 Need a same day payment of 22,110 made this morning, let me know if you are available to handle this now so i can forward details. Need it sorted today. Regards Wilson 시급함을강조 액션을요구 Sent from my iphone 24

이메일내의사표시요소 사람이보는관점 정상메일과 Fake 메일이동일하게보임 액션을요구 재정정보 시급함을강조 Real Email 이메일서비스공급자 참조주소를프리이메일로변경 발신자위조 공격자의행위요소 26 Fake Email

전문가규칙에서의관점 의심메일 액션을요구 이메일서비스공급자 재정정보 참조주소를프리이메일로변경 시급함을강조 Real Email 발신자위조 27 Fake Email

전문가규칙 + 머신러닝 = 사기메일탐지 액션을요구 이메일서비스공급자 재정정보 참조주소를프리이메일로변경 시급함을강조 Real Email 발신자위조 28 Fake Email

분석의완성도향상 = 전문가규칙 + 머신러닝 사람 전문가규칙 전문가규칙 + 머신러닝 정상? 의심탐지! 29

Trend Micro Email Security 30

Email Security Portfolio Protection for Office 365 Internet Email Gateway - SaaS Service Integration - SaaS Email Gateway SW [Anti-Spam Appliance] Advanced Threat Protection HW [Anti-A.P.T. Appliance] Service Integration - SW [Groupware/Messaging Anti-Virus]

감사합니다. 32