By Yaelle Harel and Adeline Chan, Threat Prevention Marketing Managers, published November 22, 2019
Cyber attacks continue to evolve at an ever-increasing pace. Threats have become more sophisticated and dangerous compared to just a few years ago. The velocity of malware evolution, an increasing number of end-user devices, networks and technologies that need protection, and petabytes of data to process combine to make it impossible for human-created models to give comprehensive, up-to-date protection. Relying solely on traditional detection engines leaves organizations exposed to incredibly damaging attacks. Organizations, therefore, face an urgent need to continually ramp up and improve their cybersecurity.
Incorporating AI in all four stages of the adaptive security cycle
Check Point overcomes this challenge by incorporating artificial intelligence (AI) into its unified, multi-layered security architecture. By doing so, the company provides an ever-improving, intelligent system that doesn’t just detect, but actively prevents complex, sophisticated attacks.
Gartner lists the four stages of an adaptive security architecture as predict, prevent, detect and respond. In this blog entry, we’ll look at real world examples of how Check Point incorporates AI at each of the four stages to improve detection rates, reduce false positives and shorten response times.
Predicting an unknown cryptominer
Attacks tend to spread fast across organizations’ networks once the system has been breached, causing severe damage very quickly. Therefore, predicting attacks before they strike is critical.
Attackers frequently use a filename that is similar to legitimate, trusted programs (Mitre ATT&CK™ Technique: Masquerading) to deceive system administrators or security programs into thinking that the file is benign. However, legitimate processes sometimes use similar process names as well. Therefore, classifying an event as malicious based only on name similarity could lead to many false alerts – and result in genuine threats being missed.
To effectively and accurately identify new, unknown malware, Check Point developed a unique AI engine that evaluates the behavior of the process and then classifies it. In this example, Sandblast Agent detected a look-alike process in one of Check Point’s customers’ endpoint devices. Check Point’s Behavioral Guard AI engine then evaluated the process’ behavior and classified it as a cryptominer malware, at which point the attack attempt was prevented.
Preventing a new variant of the Fareit trojan
It is less costly to prevent an attack than to detect and remediate after the malware has breached the network and caused damage. This is why Check Point has invested heavily in developing industry-leading threat prevention AI engines. Check Point is able to achieve the best prevention across the industry in dozens of independent third-party tests because of these advanced AI engines.
Fareit is a Trojan that has been in the wild since 2012. Its variants typically steal users’ sensitive information such as passwords, FTP accounts and other credentials stored in web browsers. Fareit was detected by Check Point’s dynamic emulation AI model, five days before it was first seen in Virus Total.
Check Point Threat Emulation is a sandboxing technology integrated within both on-premise networks and in the cloud. The solution incorporates an AI model that evaluates the actions taken by an executable file during run time. The model’s output is a score that is used to determine whether the file is malicious. If the model determines that the file is malicious, SandBlast Network will then block the file and prevent the attack. This AI model is responsible for 50% of Check Point’s Threat Emulation detections.
Stay tuned for additional examples on how AI is used in the detect and respond stages of the adaptive security cycle.
Learn more on how artificial intelligence helps achieve the best cyber threat prevention rates. Download the white paper.