Preventing multi-stage attacks with Check Point SandBlast Threat Emulation

Now more than ever, organizations and federal agencies are under assault by a new generation of cyberattacks, which are targeted, stealthy and persistent. The attack techniques are varied and often multi-staged, increasing the difficulty to protect networks. In this blog we’ll examine multi-stage attacks and show how advanced network threat prevention technologies can prevent them.

A multi-stage attack typically includes an initial dropper file, a main payload component of the malware, and additional modules delivered over a period of days, weeks, or more. The initial dropper is typically a benign file downloaded or attached to an email, with a sole purpose of downloading another file from the Internet.

Real Life Example of a Multi-Stage Attack

Cobalt Group Returns To Kazakhstan: During 2019, Check Point Research uncovered a Cobalt Group campaign that targeted the customers of a bank in Kazakhstan. The campaign utilized a document hosted on the promotional website of the Kassa Nova Bank to social engineer victims into running the embedded malicious macros. Enabling the macros starts a multi-stage infection chain that eventually downloads and executes a Cobalt Strike beacon, providing the attackers with a foothold inside the target organization.

Figure 1: Multi-stage infection chain employed by the Cobalt Group Campaign

How SandBlast Threat Emulation detects and prevents multi-stage attacks

Conventional sandboxing methods are not always effective at detecting modern multi-stage cyberattacks since a multi-stage attack often starts with an initial harmless dropper. When executed, the initial benign dropper will download another file from the Internet. It is that second stage file that usually contains a malicious payload when executed by the initial dropper. Only then, it will execute additional subsequent modules over a period of days, weeks or more.

Powered by ThreatCloud, SandBlast advanced sandboxing technology, Threat Emulation, is able to analyze the entire infection chain. Right from the beginning, SandBlast Threat Emulation will analyze the dropper file actions. By utilizing a secure open connection to the internet, Threat Emulation will let the dropper download the second file, execute it and detect it as malicious – thus preventing the attack before it ever breaches the network.

Best Zero Day Catch Rate

SandBlast Threat Emulation protects networks against unknown threats in web downloads and e-mail attachments. The Threat Emulation engine picks up malware at the initial phase, before it enters the network. The engine quickly quarantines and runs the files in a virtual sandbox environment, which imitates a standard operating system, in order to discover malicious behavior at the exploit phase, before hackers can apply evasion techniques to bypass a sandbox.

Check Point SandBlast provides the industry’s best zero-day protection through a combination of evasion-resistant Threat Emulation scanning engines, revolutionary AI engines, and SandBlast Threat Extraction that pre-emptively sanitizes files arriving by email and web downloads.

SandBlast is powered by Check Point ThreatCloud, which is the most powerful threat intelligence database. ThreatCloud is continuously enriched by advanced predictive intelligence engines, data from hundreds of millions of sensors, cutting-edge research from Check Point Research and external intelligence feeds.

Visit the SandBlast page to learn more.