Sophos Intercept Next-Gen Endpoint Protection Larry Herzog Jr., CISSP Channel Sales Engineer July 2017

HD Phishing Data stolen from breach being used in phishing campaign.

Locally targeted

Malvertising threat chain RTB Ad network Third party

No site is immune

Exploits as a Service Gateway Servers Exploit Kit Customers Victims Initial Request Exploit Kit Customers Redirection Get Current Domain Tor Exploit Kit Admin Malicious Payloads Landing Page Exploits Stats Management Panel Malware Distribution Servers Payloads Get Stats Update payloads

EK prominence

Document malware

Remote access trojans Data stealing malware

Data stealing malware How it works

Why does ransomware work? Complex threat chain Social Engineering No need for persistence Uses existing tools Geographically targeted, locally customized It’s your data

Locky

Cryptowall https://www.cryptowalltracker.org/cryptowall-4.html#targetfileextensions

Zcrypt True virus, no need to send multiple copies https://nakedsecurity.sophos.com/2016/06/01/zcrypt-the-ransomware-thats-also-a-computer-virus/

The Evolution of Endpoint Threats From Malware to Exploits Melissa Virus 1999 $1.2B Love Letter Worm $15B 1998 FinFischer Spyware 2003 $780M Zeus Trojan $2.3B 2007 JSocket RATs $800M 2014 Exploit as a Service $500M 2015 Locky Ransomware $1.1B 2016 Traditional Malware Advanced Threats

Technique Identification The Evolution of Endpoint Security From Anti-Malware to Anti-Exploit to Next-Generation Exposure Prevention URL Blocking Web Scripts Download Rep Pre-Exec Analytics Generic Matching Heuristics Core Rules File Scanning Known Malware Malware Bits Trojan Spyware Virus Worm Run-Time Signatureless Behavior Analytics Runtime Behavior Exploit Detection Technique Identification RATs Ransomware Exploit Kits Traditional Malware Advanced Threats

INTERCEPT

Intercept Anti-Ransomware. Anti-Exploit. Root-Cause Analysis Stops Malicious Encryption Behavior Based Conviction Automatically Reverts Affected Files Identifies Source of Attack Anti-Exploit Signatureless Exploit Prevention Protects Patient-Zero / Zero-Day Blocks Memory-Resident Attacks Low Footprint & False Positives Root-Cause Analysis IT Friendly Incident Response Process Threat Chain Visualization At Risk Asset Identification Prescriptive Remediation Guidance Purpose built to compliment and enhance anti-malware solutions Security focused on exploit techniques, not merely the tools used Designed for the IT Generalist. Powerful enough for the Info-Sec Professional

Anti-Ransomware

Anatomy of a Ransomware Attack CryptoGuard Simple and Comprehensive Universally prevents spontaneous encryption of data Notifies end user on rapid encryption events Rollback to pre-encrypted state CRYPTOGUARD Exploit Kit or Spam with Infection Command & Control Established Local Files are Encrypted Ransomware deleted, Ransom Instructions delivered

Behind the scenes with CryptoGuard – How does it work? Monitor file access If suspicious file changes are detected, file copies are created Attack detected Malicious process is stopped and we investigate the process history Rollback process initiated Original file copies restored Malicious files removed Added to know ransomware definitions Forensic visibility User message on desktop Admin alert in Sophos Central Root cause analysis details available

Anti-Exploit

Signature-less Exploit Prevention

Root Cause Analysis

Root-Cause Analysis Understanding the Who, What, When, Where, Why and How What Happened? Root Cause Analysis Automatic report @ the process / threat / registry level 30 Days of historical reporting Detailed Visual representation of what other assets have been touched What is at Risk? Compromised Assets Comprehensive list of business documents, executables, libraries and files Any adjacent device (i.e., mobile) or network resources which may be at risk Future Prevention Security Posture Recommendations based on historical security risks Provides steps to prevent future attacks Rich reporting of Compliance status

Our Incident Response engine automatically capture core data on an incident. Showing crisp summary data and details a human can understand. PLUS IT people can add comments and actions to each incident as its investigated. We AUTOMATICALLY add a priority depending on our analysis of the root cause and the chain itself. Obviously someone can add to this, for example here is an Exfiltrator that got caught as it attempted to reach out to a C2.   …and I see that the IT guy recommended we also look at Synchronized Encryption (Show artifacts) Sophos confidential

Digging deeper we see that there are some business files involved in the attempted exfiltration….  (Show RCA)

Our Incident Response engine automatically capture core data on an incident. Showing crisp summary data and details a human can understand. PLUS IT people can add comments and actions to each incident as its investigated. We AUTOMATICALLY add a priority depending on our analysis of the root cause and the chain itself. Obviously someone can add to this, for example here is an Exfiltrator that got caught as it attempted to reach out to a C2.   …and I see that the IT guy recommended we also look at Synchronized Encryption (Show artifacts)

Advanced System Clean

Advanced System Clean Malware Activity Removal Removes Threats Deep System Inspection Removes Malware Remnants Full Quarantine / Removal Effective Breach Remediation On-Demand Assessment Identifies Risky Files / Processes Constantly Refreshed Database Provides Additional Confidence Command-Line Capable

Intercept Benefits Performance Prevent unknown zero-day threats No user impact, no file scanning, no signatures Prevent unknown zero-day threats Intercepting techniques doesn’t require knowledge of known threats Prevent every ransomware attack Faster incident response Root-cause visibility into threats Visualization of full attack chain Deep system cleanup Clean up the malware activity, not just the malware 31