Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intercept X Early Access Program Sophos Tester

Similar presentations


Presentation on theme: "Intercept X Early Access Program Sophos Tester"— Presentation transcript:

1 Intercept X Early Access Program Sophos Tester
Karl Ackerman Principal Product Manager – Endpoint Security Group July 2017

2 Agenda Overview FAQ Tests described Platform Results

3 Overview FAQ What is Sophos Tester? Is this safe to use?
Demonstration of attack techniques from exploits and ransomware to atom bombing Is this safe to use? Sophos tester will not harm your PC It performs the techniques for multiple attack methods but does not deliver malware, communicate with command and control servers, or encrypt your documents NOTE running the tool with Intercept X will create detection events and they will show in Sophos Central so if that console is monitored by another team, they may wonder what the heck you are doing. Can I run Sophos Tester on a machine with a competitors AV? The tool is not intended for competitive comparisons, and was built to confirm detection methods available in Intercept X Some AV Vendors block the tool as malicious, or unknown, others may block some of the techniques of the attack as well  What platforms does the tool run on? Sophos tester was built for Windows 7 32bit and should run on Windows XP, 7, 8, 10 for 32 and 64 bit systems Some issues with OS’s other than windows 7 32bit are known with tests failing to run correctly

4 Overview FAQ (continued)
Does the test tool have a test for ALL the mitigations in Intercept X No this tool does not validate all exploit methods, just the most common ones Why don’t I see any tests for Disk-Wiping, Credential Theft of Process Protection? For these tests the test tool needs to be run as administrator Right click on the Sophos Tester.exe and select “Run as Administrator” When run with Intercept X, do detections generate events in the console? Yes, when run with Intercept X, the admin console will show the detection events and an Root Cause Analysis may also be generated Will Sophos Clean remove the test tool on detection? No Sophos Clean will allow sophos tester to remain after detections Ransomware detections by Intercept will identify the target application and block similar attacks until a reboot or sufficient time has elapsed for Intercept to unblock the application.

5 Agenda Overview FAQ Tests described Platform Results

6 Attack Targets Target We look for common infection vectors (Applications) used by malware on the machine and display these as target applications Using a target application will launch the application to perform the attack tecnique Dummy (Default) This is the sophos tester executable itself and can be used to demonstrate attacks Note some attacks on a protected system will identify the Sophos tester or target application and lock its use for a period of time A good way to avoid having to reboot is to try each ransomware test with a different target application

7 Category Attack Techniques Run Sophos Tester as Administrator
Code exploits Attacks that take advantage of vulnerabilities in the software being used Memory exploits Attacks that manipulate process and system memory to execute their code Logic Flaws Preventing malicious behaviors even when the application is ‘allowed’ to perform them Safe Browsing Detect man in the browser activity that present one view to the user and another to the site Ransomware Malicious rapid file encryption Often the application target is now blocked from similar activity, reboot to clear this state on Intercept protected devices See Settings for additional configurations Disk-wiping Attacks on the master boot record Credential Theft Attacks that steal authentication credentials Process Protection Newer exploits using Asynchronous Procedure Calls (Wanacry, eternal blue, double pulsar) Run Sophos Tester as Administrator

8 Agenda Overview FAQ Tests described Platform Results

9 Platform tests (Target Dummy-Default)
Category Attack Intercept X Policy Control Win 7 32bit (No AV) Win 7 32bit (Intercept X EAP) Win 8 64bit (No AV) Code Exploit StackPivot1 Exploit Success Blocked StackPivot2 VirtualProtect ROP VirtualProtect ROP via legit call Succeeded (Test passed, legitimate) NtProtectVirtualMemory ROP WinExec Rop IAF VirtualProtect Via Legit Call Memory Exploit Nop Sled Heap Spray

10 Platform tests (Target Dummy-Default)
Category Attack Intercept X Policy Control Win 7 32bit (No AV) Win 7 32bit (Intercept X EAP) Win 8 64bit (No AV) Memory Exploit Polymorphic Nop Sled Heap Spray Success Blocked Date Execution Prevention Logic Flaws Create, Execute Create, Execute elevated Blocked (Note MS warnings) Create, Rename, Execute Create, Execute via WMI Safe Browsing WinINet hijack Must run with a target browser. (Detected) Ransomware* CryptoLocker Crypto Guard Blocked1 1 – After an attack the target application(Sophos Tester) is temporarily blocked from similar activity, reboot may be required

11 Platform tests (Target Dummy-Default)
Category Attack Intercept X Policy Control Win 7 32bit (No AV) Win 7 32bit (Intercept X EAP) Win 8 64bit (No AV) Ransomware* CTB-Locker Crypto Guard Success Blocked1 TorrentLocker CryptoWall 3 Locky HydraCrypt Cerber 3 Dharma Dharma Alternative CryptoShield Disk-wiping Master Boot Record Disk and Boot Protection Blocked 1 – After an attack the target application(Sophos Tester) is temporarily blocked from similar activity, reboot may be required

12 Platform tests (Target Dummy-Default)
Category Attack Intercept X Policy Control Win 7 32bit (No AV) Win 7 32bit (Intercept X EAP) Win 8 64bit (No AV) Credential Theft Read LSASS memory Member of EAP protected devices Success Blocked2 Blocked3 Open SAM registry Blocked Process protection APC Exploit (Atom Bombing) APC Exploit (Start shellcode) Know Issues – we have had some reported issues with Sophos Tester not executing the tests correctly on some X64 devices we are investigating Support on Servers and MAC – With the exception of crypto-guard, is not yet available for Windows Servers or MAC OS Supported Operating Systems – Supported on Windows XP and above, NOT available for MAC OS 2 – This attack is shown as ‘unsuccessful’ in the Sophos Tester, but no notification is presented to the user, well fix it 3 – Windows 8 64 bit protected the LSASS memory from non-authorized processes

13 Notifications on the desktop
Detections from Sophos Tester will generate notifications on the device A Clean scan will be run and the Sophos Tester will remain on the device Events will be registered in Sophos Central and in a few minutes an Root Cause Analysis report will be available for review When running ransomware tests the target application is identified and Intercept will block the detected behavior from that application until a reboot

14 Notifications in Sophos Central
Sophos test results in a notification to the end user and in Sophos Central

15 Sophos Central – Root Cause Analysis
Root Cause Analysis reports should be generated for most detection events

16


Download ppt "Intercept X Early Access Program Sophos Tester"

Similar presentations


Ads by Google