ENDGAME PROTECTS FINANCIAL SERVICES FROM TARGETED ATTACKS

Initial exploit

PowerShell initiated

PowerShell injects malicious code in memory and creates hidden persistence

Remote access maintained

All artifacts removed except for in-memory payload and hidden persistence

2 3

Targeted attacks are 100% successful

Targeted attacks are not just malware

Financial services and banking industry have been a

victim of targeted attacks that compromise critical

systems and stealing sensitive personally identifiable

information (PII). These attacks are human driven,

well planned and sophisticated, with a specific objective such as financial gain, reputational damage or even destruction. Targeted attacks are not just malware

based but use advanced techniques that were formerly only available to to well resourced nation state

adversaries.

A recent 2016 targeted attack hit over 140

enterprises globally, including banking, government

and telecom organizations. The attack didn't use malware, but rather leveraged legitimate tools to

compromise critical systems while existing in-memory.

Attackers integrate multiple attack vectors, such as exploits, fileless memory-based attacks and malwareless and are 100% successful at compromising enterprises.

A Typical Targeted Attack

54

2010 nation

2015 nation/crime

2016 crime

Stuxnet

Shamoon Saudi oil

N. KoreaSwift attack

APT28 Russia - DNC

NetTraveler

Shamoon2

Dridex

Odinaff

NEXT-GEN AND NICHE SOLUTIONS ARE TOO LATE TO STOP DAMAGE AND LOSS

Targeted attacks are evolving rapidly, evading point

products, legacy EDR solutions and enterprise

platforms alike. Most security programs have

next-gen AV or niche products, these are point

solutions, stopping a specific attack vector such

as malware or exploits or they depend on stale

intelligence, known IOCs, and slow rules-based

technology. It’s not just the sophistication of the

attacks that defeats defense. Speed kills too.

IOC search based tools require skilled analysts

often with prior knowledge of an attack and time

to build sophisticated queries to detect each

piece of an attack and orchestrate in time to

respond and stop damage and loss. Legacy EDR

technologies are sold with expensive managed

services because they’re difficult to

maintain (e.g. curate rules), and have efficacy

challenges. Compromise is inevitable but

breaches can be stopped. Because breaches

can be catastrophic, enterprises must design

their security programs to achieve zero

breach tolerance.

Endgame is an endpoint security solution

that enables enterprises to achieve zero

breach tolerance and stops all targeted attacks

and its components, malware, ransomware,

exploits, malware-less, fileless attacks, that

bypass enterprise defenses.

TARGETED ATTACKS ARE INCREASINGLY IN LETHALITY

Attacks targeting banks and financial services have

reached new heights, with the $81 million digital

heist on the Bangladesh Central Bank in 2016

and the Carbanak group reeling in up to $1 billion

worldwide from the financial industry since 2013.

Dridex and Odinaff, two targeted banking attack

campaigns used by crimeware groups have multiple

advanced vectors and the sophistication of nation

state hackers. These attacks epitomize how

cybercriminals are employing targeted attacks for

financial gain leveraging nation-state sophistication.

The National Crime Agency in the UK believes the

Dridex campaign may be one of the costliest

attacks in the financial sector, with global losses

exceeding $100 million.

6 7

DRIDEXV4 ATTACK LIFE-CYCLE

Initial Compromise Attacker Entrenches Attacker Pivots Theft

PROPAGATE

COLLECT

BREACH

� Numerous exploitmethods observed

� Code injection viaAtomBombingtechnique to gainexecution

� Random legitimatewindows binariesdropped to newdirectories

� Creates firewallrule to allow C2

� Collects and stealsbanking information

� Employs stolencredentials formassive theft

� Malicious DLLs droppedin same directoriesfor DLL side loading

� Running in explorer.exe

Dridex malware campaigns have used phishing

campaigns to deploy Locky ransomware in the

past, and recently has exploited a zero-day

vulnerability in Microsoft Office to target millions

of people. The attacker can take over the

machine by simply opening an attachment. The

exploited vulnerability—a remote code execution

bug—shows an increase in sophistication the

Dridex malware campaigns. Similarly, DridexV4

is credited with the first use of AtomBombing

code injection in the wild. AtomBombing allows

attackers to evade detection, and has been

deployed in version 4 of the financial trojan, in

conjunction with the ability to track victim’s to

bank sites and stealing banking credentials and

financial data. The code injection addition to

Dridex makes it harder to detect, shuffling things

EXPLOIT

ENTRENCH

EVADE

EXECUTE

up on detection mechanisms and thus requires

a protection layers to endpoints to prevent it

from deploying.

“Dridex is one of the most nefarious banking Trojans active in the financial cybercrime arena”

8 9

STOP ONGOING DRIDEX ACROSS 50,000 ENDPOINTS ENDGAME STOPS ON-GOING DRIDEX IN 5 MINUTES ACROSS 50,000 ENDPOINTS

WITHOUT ENDGAMEIn-Memory Investigation

1. Tier 1 analyst gets an alert for an anomalous endpoint event

2. Tier 1 analyst pushes this to a Tier 2/3

3. Tier 2/3 investigates using network indicators, sysinterrnalsdetermines machine is compromised 20 mins

4. Tier 3 does memory forensics, a memory dumpon a single endpoint [8GB] 10 mins

5. Tier 3 analyzes memory using 3rd party toollike Rekall, Volatility 120 mins

7. Sub total: 160 minutes of analysis by Tier 3 on 1 offline machine

8. Pivot across 50K endpoints

WITHOUT ENDGAMEIn-Memory Investigation

53 YEARS, 3 MONTHS, 4 DAYS, 7 HOURS, SIX MINUTES, AND 41 SECONDS

WITH ENDGAMEIn-Memory Investigation

TIER 1 5 MINUTES

6. Remediate one single endpoint and reimage 10 mins

10 11

Endgame stops targeted attacks and all of their components, with a single agent, responding across hundreds of thousands of endpoints, before damage and loss.

ENDGAME STOPS TARGETED ATTACKS AND ITS COMPONENTS

Endgame prevents, detects and hunts for

targeted attacks and all their components across

hundreds of thousands of endpoints, before

damage and loss occurs. Our single agent

protection technology, unlike any other solution,

stops malware, exploits, malware-less and fileless

attacks and ransomware attacks.

� Patent-pending Hardware Assisted Control FlowIntegrity (HA-CFI) technology and Dynamic

Binary Instrumentation (DBI) blocks zero-day

exploits and malicious macros before malicious

code execution.

� Endgame Malwarescore™, one of the few signature-less engines running in VirusTotal, prevents execution of over 99% of known and unknown malware.

Single dissolvable agent, full stack protection

STOP ALL TARGETED ATTACKS

ELIMINATE COSTLY IR AND

FORENSIC RETAINERS

REDUCE COMPLEXITY � Patent-pending process injection protection

prevents fileless attacks designed to evade existing defenses.

� Endgame behavioral protection has been tested against over forty ransomware families, including WannaCry, Locky and CryptoLocker, stops 96% of attacks before damage and loss.

� Endgame Artemis™, AI security mentor, automates analysis and response across hundreds of thousands of endpoints ensuring operators restore them with zero disruption before damage and loss occurs.

EXPLOITS DEPLOY

COLLECT

ANALYSE

RESPOND

MALWARE

FILELESS ATTACKS

MALWARELESS

RANSOMWARE

PERSISTENCE

� Easy deployment and management

� Dissolvable, or Persistent

� In band and out of band

� Real time event collection forFile, Registry, User, Process,Network, Netflow, DNS

� Complete attack lifecycle analysis

� Live memory analysis stopsin-memory attacks

� One click response

� Zero business disruption

HA-CFI™—Exploit prevention stops 0-days, malicious macros before code execution

MalwareScore™—signature-less malware prevention, prevents 99% of known and unknown malware

Patent-pending process injection protection and fileless attack detection prevents fileless attacks

Endgame attacker technique protection stops misuse of legitimate tools, e.g. Powershell

Endgame behavioral protection stops ransomware attacks before damage and loss.

Malicious persistence analytics stops adversary entrenchment in minutes across 50,000 endpoints

12 13

Endgame Stops All Targeted Attacks

Single Agent Single Console for Prevention And Response

Endgame’s hardware assisted, and signature-less prevention technology stops all attack components.

Streamlined response in time to stop damage and loss.

14 15

Eliminate Costly IR and Forensic Retainers

Endgame Artemis™ is the first machine learning powered chatbot for Tier 1 analysts to restore 50,000 endpoints in minutes.

“Artemis is anyone misusingPowerShell in the enterprise?”

“Artemis are there any ongoing in-memory attacks in new partner network?”

“Artemis did any endpoint transmitmore than 5M to an external IP that it never transmitted to before?”

“Artemis kill process with hash0c44298fc1c14b92427934ca4 95991b7852b85598fc1c14b92 on all enterprise endpoints.”

“Artemis how did file ”x” get onmy network and where else is it?”

The Endgame

Value

�Stop damage and loss

�Reduce cost and impact of IR

�Reduce operational costs

�New productivity, not new people

About Endgame

Endgame is a leading endpoint security

platform that enables enterprises to close the

protection gap against advanced attacks and

detect and eliminate resident adversaries.

Endgame transforms security operations teams

and incident responders from crime scene

investigators into hunters preventing damage

and loss, and dramatically reduce the time and

cost associated with incident response and

compromise assessment. Our IOC-independent

platform covers the entire attack lifecycle,

leveraging machine learning and data science

to uncover, in real-time, unique attacks that

evade traditional defenses and respond precisely

without disrupting normal business operations.

WWW.ENDGAME.COM 3101 WILSON BLVD, ARLINGTON, VA 22201