Intercepting Advanced Threats Anurag Singh Sophos Sales Engineer
Top Threats in the US Exploits Ransomware Phishing Industrialized attacks Flash, Downloader, JS redirect, Malvertising Ransomware Dropper, Phish, Shortcut, Doc Macro Successful attacker can earn up to $394,000 in a single month Phishing 93% of phishing emails have a ransomware payload (CSO Online)
Malware File based malware Fileless malware Portable executables Documents and media files Scripts, Java, web pages Other Exploit driven attacks Application behavior abuse 56% 30% 11% 3% 90% of breaches use an exploit Most attacks involve more than one approach to compromise the system A drive-by exploit installs a dropper on the device that then deploys malware An office document or pdf with a macro, connects to a command and control server, performs rapid file encryption or deploys malware Active adversaries can ‘live off the land’ and never deploy files Leverage existing vulnerabilities to penetrate the system Migrate to a privileged process Load malware directly into running processes Extract critical documents and user authentication credentials
HD Phishing Data stolen from breach being used in phishing campaign.
Locally targeted
Document malware
Petya at a Glance Petya is an old ransomware variant from 2016 New trick: lateral movement a la WannaCry Internal only: no external propagation Ransomware encrypts files Cost: $300 in Bitcoin; email shut down Infects master boot record; forces reboot Kill switch identified Motive believed to be attack against Ukraine Only about $10k in ransom collected Patching against WannaCry wasn’t foolproof Alright, moving right along to Petya, also known as NotPetya, Nyetya, and a bunch of other colorful names. <advance> We’ll focus on the most recent attack, which started on June 27 in and was far more targeted than WannaCry. It initially spread around the Ukraine, with an estimated 80% of infections appearing in the Ukraine before spreading worldwide as well, although it could be argued that the spread was more collateral damage than anything else. <advance> Petya itself is a ransomware variant from 2016, though the 2017 attack had some new tricks up its sleeve. Like WannaCry, it leveraged the EternalBlue SMB exploit to move laterally across networks. However unlike WannaCry, it didn’t attempt to spread randomly via the internet – again, a sign of a more targeted attack. <advance> The ransomware scrambled user files and demanded $300 in Bitcoin to be sent to an email address that was swiftly shut down by the email host, making it pointless to pay since there would have been no way for the attackers to have been alerted to a payment. <advance> The infection then infects the master boot record and forces the machine to reboot, which effectively scrambles the hard drive’s ability to coherently fetch information. It would be like going into a library, knocking all the books on the floor, and locking the librarian in a closet. And then even if you manage to find the book you’re looking for, all the text has been re-arranged into nonsense.<advance> Like WannaCry, this one contained a kill switch. However this kill switch was not URL-based. More on that in a bit. <advance> Once the dust had settled and we’d all had time to analyze the attack, it became apparent that this was not so much a ransomware attack, but an attack against the Ukraine: it didn’t attempt to spread via the internet, the ransom demanded was monetarily low and the email address didn’t work, and it turned out that for some variants, the actual infection wasn’t really reversible even if the decryption keys became available. <advance> And in light of WannaCry, Petya first leveraged the same SMB exploit which, by June, should have been patched on all systems by anyone who paid any attention to WannaCry. If that didn’t work, it went on to try a couple additional methods. We’ll dive a bit deeper into the attack now.<advance>
Exploits As a Service Gateway Servers Exploit Kit Customers Victims Initial Request Exploit Kit Customers Redirection Get Current Domain Tor Exploit Kit Admin Malicious Payloads Landing Page Exploits Stats Management Panel Malware Distribution Servers Payloads Get Stats Update payloads Sophisticated/Coordinated
Syndicated HaaS platforms make it easy Fully integrated Saas console including network and endpoint techniques from infecting a website, all the way to delivering an endpoint payload and selling the results Zero day exploits automatically included Detailed Opportunity Tracking
Why cyber security is transitioning new technology The Volume of malware is staggering 1990’s - Signature based Anti-Virus 1-1 map of ‘checksums’ to malware String Scanning Requires a Victim to report the malware so a new signature can be built 2017 600,000,000 Total malware The volume of malware is simply astounding, 400K unique malware samples per day pass through sophos labs. The days of check-sum checking is long gone. Circa – 1992 1,500 Circa - 2001 60,000
A real world attack SMB Exploit CVE-2017-0144 CVE-2017-0145 Internet/Local Network Leverage SMB exploit to move to other devices and organizations Initial Malware Delivery Credential Theft Dump from LSASS Local Network Leverage PSEXEC or WMIC and stolen credentials to move to target machines Network Scan Identify targets for lateral movement Attack Master Boot Record Overwrite boot sector for ransom note and to destroy Launch multithreaded additional attack steps File Encryption Encrypt local files
Sophos Endpoint Advanced Attack surface reduction Device control – Restrict connected devices Web control – Block prohibited websites App control – Block prohibited applications Malware detection layers Web protection Prevent the navigation to malware delivery sites File Heuristic and Signature Checks Evaluate all file types for malware Runtime memory scanning Scan memory triggered by suspect behaviors Scan can be triggered by Malicious Traffic Detection Integrates with Synchronized Security Sophos FW and EP share contextual threat information Data loss prevention DLP Monitor data leaving for prohibited content Internet/Remote device Sophos Protected Endpoint Device/Web/App Control Web Protect Pre-Execute (Signatures & Heuristics) Memory Scanning (Behavior trigger) DLP scanning on data leaving device
Sophos Intercept X Malware detection layers Forensics Machine learning detection Scan executables for malware Prohibited behavior blocking Block malicious behavior, like ransomware Anti-exploit and hacking protection Block exploits and hacking techniques Forensics Root Cause Analysis Shows the chain of events leading to malicious activity Internet/Remote device Sophos Protected Endpoint Pre-Execute (ML) Process Lockdown (Behavior) Exploit and hacking prevention RCA – Forensics for evaluation
Sophos Endpoint Advanced with Sophos Intercept X Attack surface reduction Device, Web, & Application control Malware detection layers Web protection File Heuristic and Signature Checks Machine learning detection Runtime memory scanning Prohibited behavior blocking Anti-exploit and hacking protection Integrates with Synchronized Security Data loss prevention DLP Forensics Root Cause Analysis Internet/Remote device Sophos Protected Endpoint Device/Web/App Control Web Protect Pre-Execute (ML & Sig/Heuristics) Memory Scanning (Behavior trigger) Process Lockdown (Behavior) Exploit and hacking prevention DLP scanning on data leaving device RCA – Forensics for evaluation
Intercept X response SMB Exploit CVE-2017-0144 CVE-2017-0145 Internet/Local Network Leverage SMB exploit to move to other devices and organizations Initial Malware Delivery Credential Theft Dump from LSASS Local Network Leverage PSEXEC or WMIC and stolen credentials to move to target machines Network Scan Identify targets for lateral movement Attack Master Boot Record If Kaspersky deployed destroy disk sectors If not Kaspersky deploy ransom boot loader Launch multithreaded additional attack steps Master Boot Record Protection Prevents MBR tampering Terminate attacking process CryptoGuard Prevent rapid file encryption Restore attacked files File Encryption Encrypt local files
Malware delivery techniques Only 56% of malware is an executable that can be evaluated by machine learning Most attacks involve more than one approach to compromise the system A drive-by exploit installs a dropper on the device that then deploys malware An office document or pdf with a macro, connects to a command and control server, performs rapid file encryption or deploys malware Active adversaries can ‘live off the land’ and never deploy files Leverage existing vulnerabilities to penetrate the system Migrate to a privileged process Load malware directly into running processes Extract critical documents and user authentication credentials Machine Learning Behavior Exploit and Hacking File based malware Fileless malware Portable executables Documents and media files Scripts, Java, web pages Other Exploit driven attacks Application behavior abuse 56% 30% 11% 3% 90% of breaches use an exploit
Stopping Not-Petya SMB Exploit CVE-2017-0144 CVE-2017-0145 Internet/Local Network Leverage SMB exploit to move to other devices and organizations Initial Malware Delivery Credential Theft Dump from LSASS Local Network Leverage PSEXEC or WMIC and stolen credentials to move to target machines Network Scan Identify targets for lateral movement Attack Master Boot Record If Kaspersky deployed destroy disk sectors If not Kaspersky deploy ransom boot loader Launch multithreaded additional attack steps Deep Learning Detect and block the PE file as malicious APC Violation Detect and block the exploit technique Credential Theft Prevent LSASS and SAM DB credential extraction Synchronized Security Prevent network traffic from compromised devices File Encryption Encrypt local files
Root Cause Analytics Understanding the Who, What, When, Where, Why and How
Core features – Sophos Intercept X Exploit Prevention Enforce data execution prevention Mandatory address space layout randomization Bottom-up ASLR Null page(Null Deference protection) Heap spray allocation Dynamic heap spray Stack pivot Stack pivot (memory protection) Stack-based ROP mitigations(caller) Structured exception handler overwrite(SEHOP) Import address table filtering (IAF) Load library Reflective DLL injection Shellcode VBScript god mode WOW64 Syscall Hollow process DLL jacking Squibdlydoo applocker bypass APC protection (Double pulsar/AtomBombing) Process privilege escalation Active Adversary Mitigations Credential theft protection Code cave prevention Man-in-the-browser protection (Safe browsing) Malicious traffic detection Meterpreter shell detection Anti Ransomware Ransomware file protection (CryptoGuard) Automatic file recovery (CryptGuard) Disk and boot record protection (WipeGuard) Application lockdown Web browsers (including HTA) Web browser plugins Java applications Media applications Office applications Deep Learning Deep learning malware detection Deep learning PUA detection False positive suppression Live protection Respond Investigate Remove Root Cause Analysis Sophos Clean Synchronized Security Deployment Alongside existing AV Integrated with Sophos Endpoint Agent Operating Systems Windows 7 Windows 8 Windows 8.1 Windows 10 Mac OS – Features include CryptoGuard Malicious traffic detection Synchronized security Root cause analysis
Complete Next-Gen Endpoint Security Intercept X * Endpoint Protection Advanced # Endpoint Protection Standard CONTROL PRE-EXECUTION CODE EXECUTION Peripheral Control * Application Control * Web Security *# Download Reputation *# Genotype Behaviors *# Man-in-the-browser Protection X Anti-Exploit X Active Adversary Mitigation X Coming Soon Firewall Control *# Coming Soon Web Control * Deep Learning File Scanning X Coming Soon Signature File Scanning *# Live Cloud Lookup *# CryptoGuard X WipeGuard X Malicious Traffic Detection X* Data Loss Prevention * Code Behavior Analysis *# HIPS Behavior Analysis *# RESPONSE VISIBILITY Synchronized Security Heartbeat X* Synchronized Application ID X* Coming Soon Synchronized Encryption X* Root Cause Analysis X Logs & Reports X*# Block X*# Quarantine X*# Clean X Dashboard X*# Data sharing API X*# Roll Back X Alerts X*# Central Management X*#