TARGETED ATTACK PROTECTION

Detect sophisticated malware attacks, including:

• Polymorphic and zero-day malware
• Malicious attachments
• Other advanced exploits

In order to detect such advanced malware effectively—whether malware spread via spear-phishing emails containing a malicious attachment, watering hole URLs over email, or longline phishing campaigns — our malware analysis system technology uses a combination of sophisticated techniques to evaluate advance threats, including:

• Real-time checks against emerging campaigns and new malicious websites that are being detected across organizations
• Static code analysis that looks for suspicious behavior, obfuscated scripts, malicious code snippets, and redirects to other malicious sites
• Dynamic malware analysis that sandboxes the destination URL or suspicious attachments to simulate a real user on a machine, with the goal of observing any changes made to the system

Our anti-evasion technology, in the dynamic analysis, tricks malware into revealing itself by creating virtual environments that accurately reproduce real system and real user behavior and interactions. This process provides comprehensive detection analysis that determines whether the destination URL or an attachment under suspicion is malicious, even finding malware that is sophisticated enough to conceal itself from detection leveraging techniques, e.g., IP rotation, mouse movement simulation, real browser sessions, time-delayed analysis.

Proofpoint applies machine-learning heuristics to model email flow at a per-user level, and at a cloud-level across all traffic within Targeted Attack Protection™, in order to block URLs even before they host active malware, using a cloud-based process that incorporates Big Data techniques and a real-time scoring engine, including:

• Anomalytics Service
• Kill Chain Analysis and Preemptive Sandboxing

Together, these technologies provide the ability to predictively determine what could likely be malicious—and take preemptive steps before any user has a chance to click and have their machine compromised, as explained here:

Anomalytics Service
Make use of this Big Data technique that models every protected user’s email patterns, and is built on the behavioral history of that specific user to determine which email is suspicious and requires further scrutiny; this is especially useful in spear-phishing detection. Anomalytics observes normal mail flow characteristics for every user mailbox, and analyzes the inbound email in real-time to pick out anomalies. This observation and analysis further influence the systems actions around detection and protection from threats.

Kill Chain Analysis and Preemptive Sandboxing
Take advantage of this technique that leverages patterns using history, Alexa ranking, IP block reputation, velocity of email sent from an originating IP, and a set of other observed criteria in the browser path including Traffic Distribution System (TDS) IPs and obfuscated redirects. Based on patterns and known kill chain elements (TDSs, redirects), it is often possible to preemptively block URLs even prior to malware analysis – in other cases, the anomalies trigger proactive sandboxing of the destination URLs, and ultimately help to declare entire normalized patterns as being malicious, which reduces the time and effort to stop the damage of campaigns.

Leverage an agentless, cloud-based service with URL intelligence to protect users from malicious links in emails no matter when or where they click on that URL– while working remotely, BYOD, and more. A frequent tactic has been to send users socially engineered emails that are designed to entice the user to click a URL within the email. The URL web destination either automatically initiates a download, or tricks the user to enter sensitive or private information. Proofpoint research has shown that 20% of clicks by users on malicious emails occur off the corporate network, bypassing on-premise security controls.

Proofpoint’s URL Defense Service rewrites the URL, so that wherever the user checks their email, Proofpoint can:

• Protect: Protect your enterprise by testing every URL behind the scenes at click time—wherever and whenever it’s clicked—to ensure that the organization is always protected, whether the user is accessing email on the corporate VPN or on an unsecured public connection
• Expose: Provide discrete visibility and click-tracking by ensuring URLs are unique for each recipient and each message, enabling end-to-end insight
• Complement: Respects your existing layers of security by not acting as a proxy service, but rather using a 302 redirect to reroute the user’s browser to safe destinations upon confirmation by Targeted Attack Protection. This proxy-less approach ensures existing corporate security controls and acceptable use policies are not bypassed

Follow-Me Protection works in conjunction with Next Generation Detection and Predictive Defense to provide a comprehensive solution to defend against advanced attacks even after an email has been delivered to the recipient’s inbox.

Obtain details of attacks, understand the size of the threat, identify specific users that were affected, and get real-time notifications for potential incidents that require investigation. Proofpoint provides a graphical, web-based threat analysis dashboard that offers data at an organizational, threat, and user levels, enabling you to take immediate action. Administrators, security professionals and incident response teams can:

• Analyze how many and what types of email threats are currently being received by the organization, and its comparison to other organizations
• Identify who has received malicious email threats, who has received malicious attachments, how many messages with the same malicious email threat were delivered, when they were received, which users have clicked, and which users were permitted to the malicious destination through click tracking
• Extract malware forensics to determine the behavior that was involved in the targeted threat under question

In addition, administrators and incident response teams can be notified in real-time when a threat is detected that requires user machine remediation.