Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intercepting Advanced Threats

Published byStephen Wilkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Intercepting Advanced Threats"— Presentation transcript:

1 Intercepting Advanced Threats
Anurag Singh Sophos Sales Engineer

2 Top Threats in the US Exploits Ransomware Phishing
Industrialized attacks Flash, Downloader, JS redirect, Malvertising Ransomware Dropper, Phish, Shortcut, Doc Macro Successful attacker can earn up to $394,000 in a single month Phishing 93% of phishing s have a ransomware payload (CSO Online)

3 Malware File based malware Fileless malware Portable executables Documents and media files Scripts, Java, web pages Other Exploit driven attacks Application behavior abuse 56% 30% 11% 3% 90% of breaches use an exploit Most attacks involve more than one approach to compromise the system A drive-by exploit installs a dropper on the device that then deploys malware An office document or pdf with a macro, connects to a command and control server, performs rapid file encryption or deploys malware Active adversaries can ‘live off the land’ and never deploy files Leverage existing vulnerabilities to penetrate the system Migrate to a privileged process Load malware directly into running processes Extract critical documents and user authentication credentials

4 HD Phishing Data stolen from breach being used in phishing campaign.

5 Locally targeted

6 Document malware

7 Petya at a Glance Petya is an old ransomware variant from 2016
New trick: lateral movement a la WannaCry Internal only: no external propagation Ransomware encrypts files Cost: $300 in Bitcoin; shut down Infects master boot record; forces reboot Kill switch identified Motive believed to be attack against Ukraine Only about $10k in ransom collected Patching against WannaCry wasn’t foolproof Alright, moving right along to Petya, also known as NotPetya, Nyetya, and a bunch of other colorful names. <advance> We’ll focus on the most recent attack, which started on June 27 in and was far more targeted than WannaCry. It initially spread around the Ukraine, with an estimated 80% of infections appearing in the Ukraine before spreading worldwide as well, although it could be argued that the spread was more collateral damage than anything else. <advance> Petya itself is a ransomware variant from 2016, though the 2017 attack had some new tricks up its sleeve. Like WannaCry, it leveraged the EternalBlue SMB exploit to move laterally across networks. However unlike WannaCry, it didn’t attempt to spread randomly via the internet – again, a sign of a more targeted attack. <advance> The ransomware scrambled user files and demanded $300 in Bitcoin to be sent to an address that was swiftly shut down by the host, making it pointless to pay since there would have been no way for the attackers to have been alerted to a payment. <advance> The infection then infects the master boot record and forces the machine to reboot, which effectively scrambles the hard drive’s ability to coherently fetch information. It would be like going into a library, knocking all the books on the floor, and locking the librarian in a closet. And then even if you manage to find the book you’re looking for, all the text has been re-arranged into nonsense.<advance> Like WannaCry, this one contained a kill switch. However this kill switch was not URL-based. More on that in a bit. <advance> Once the dust had settled and we’d all had time to analyze the attack, it became apparent that this was not so much a ransomware attack, but an attack against the Ukraine: it didn’t attempt to spread via the internet, the ransom demanded was monetarily low and the address didn’t work, and it turned out that for some variants, the actual infection wasn’t really reversible even if the decryption keys became available. <advance> And in light of WannaCry, Petya first leveraged the same SMB exploit which, by June, should have been patched on all systems by anyone who paid any attention to WannaCry. If that didn’t work, it went on to try a couple additional methods. We’ll dive a bit deeper into the attack now.<advance>

8 Exploits As a Service Gateway Servers Exploit Kit Customers Victims
Initial Request Exploit Kit Customers Redirection Get Current Domain Tor Exploit Kit Admin Malicious Payloads Landing Page Exploits Stats Management Panel Malware Distribution Servers Payloads Get Stats Update payloads Sophisticated/Coordinated

9 Syndicated HaaS platforms make it easy
Fully integrated Saas console including network and endpoint techniques from infecting a website, all the way to delivering an endpoint payload and selling the results Zero day exploits automatically included Detailed Opportunity Tracking

10 Why cyber security is transitioning new technology
The Volume of malware is staggering 1990’s - Signature based Anti-Virus 1-1 map of ‘checksums’ to malware String Scanning Requires a Victim to report the malware so a new signature can be built ,000,000 Total malware The volume of malware is simply astounding, 400K unique malware samples per day pass through sophos labs. The days of check-sum checking is long gone. Circa – 1992 1,500 Circa ,000

11 A real world attack SMB Exploit CVE CVE Internet/Local Network Leverage SMB exploit to move to other devices and organizations Initial Malware Delivery Credential Theft Dump from LSASS Local Network Leverage PSEXEC or WMIC and stolen credentials to move to target machines Network Scan Identify targets for lateral movement Attack Master Boot Record Overwrite boot sector for ransom note and to destroy Launch multithreaded additional attack steps File Encryption Encrypt local files

12 Sophos Endpoint Advanced
Attack surface reduction Device control – Restrict connected devices Web control – Block prohibited websites App control – Block prohibited applications Malware detection layers Web protection Prevent the navigation to malware delivery sites File Heuristic and Signature Checks Evaluate all file types for malware Runtime memory scanning Scan memory triggered by suspect behaviors Scan can be triggered by Malicious Traffic Detection Integrates with Synchronized Security Sophos FW and EP share contextual threat information Data loss prevention DLP Monitor data leaving for prohibited content Internet/Remote device Sophos Protected Endpoint Device/Web/App Control Web Protect Pre-Execute (Signatures & Heuristics) Memory Scanning (Behavior trigger) DLP scanning on data leaving device

13 Sophos Intercept X Malware detection layers Forensics
Machine learning detection Scan executables for malware Prohibited behavior blocking Block malicious behavior, like ransomware Anti-exploit and hacking protection Block exploits and hacking techniques Forensics Root Cause Analysis Shows the chain of events leading to malicious activity Internet/Remote device Sophos Protected Endpoint Pre-Execute (ML) Process Lockdown (Behavior) Exploit and hacking prevention RCA – Forensics for evaluation

14 Sophos Endpoint Advanced with Sophos Intercept X
Attack surface reduction Device, Web, & Application control Malware detection layers Web protection File Heuristic and Signature Checks Machine learning detection Runtime memory scanning Prohibited behavior blocking Anti-exploit and hacking protection Integrates with Synchronized Security Data loss prevention DLP Forensics Root Cause Analysis Internet/Remote device Sophos Protected Endpoint Device/Web/App Control Web Protect Pre-Execute (ML & Sig/Heuristics) Memory Scanning (Behavior trigger) Process Lockdown (Behavior) Exploit and hacking prevention DLP scanning on data leaving device RCA – Forensics for evaluation

15 Intercept X response SMB Exploit CVE CVE Internet/Local Network Leverage SMB exploit to move to other devices and organizations Initial Malware Delivery Credential Theft Dump from LSASS Local Network Leverage PSEXEC or WMIC and stolen credentials to move to target machines Network Scan Identify targets for lateral movement Attack Master Boot Record If Kaspersky deployed destroy disk sectors If not Kaspersky deploy ransom boot loader Launch multithreaded additional attack steps Master Boot Record Protection Prevents MBR tampering Terminate attacking process CryptoGuard Prevent rapid file encryption Restore attacked files File Encryption Encrypt local files

16 Malware delivery techniques
Only 56% of malware is an executable that can be evaluated by machine learning Most attacks involve more than one approach to compromise the system A drive-by exploit installs a dropper on the device that then deploys malware An office document or pdf with a macro, connects to a command and control server, performs rapid file encryption or deploys malware Active adversaries can ‘live off the land’ and never deploy files Leverage existing vulnerabilities to penetrate the system Migrate to a privileged process Load malware directly into running processes Extract critical documents and user authentication credentials Machine Learning Behavior Exploit and Hacking File based malware Fileless malware Portable executables Documents and media files Scripts, Java, web pages Other Exploit driven attacks Application behavior abuse 56% 30% 11% 3% 90% of breaches use an exploit

17 Stopping Not-Petya SMB Exploit CVE CVE Internet/Local Network Leverage SMB exploit to move to other devices and organizations Initial Malware Delivery Credential Theft Dump from LSASS Local Network Leverage PSEXEC or WMIC and stolen credentials to move to target machines Network Scan Identify targets for lateral movement Attack Master Boot Record If Kaspersky deployed destroy disk sectors If not Kaspersky deploy ransom boot loader Launch multithreaded additional attack steps Deep Learning Detect and block the PE file as malicious APC Violation Detect and block the exploit technique Credential Theft Prevent LSASS and SAM DB credential extraction Synchronized Security Prevent network traffic from compromised devices File Encryption Encrypt local files

18 Root Cause Analytics Understanding the Who, What, When, Where, Why and How

19 Core features – Sophos Intercept X
Exploit Prevention Enforce data execution prevention Mandatory address space layout randomization Bottom-up ASLR Null page(Null Deference protection) Heap spray allocation Dynamic heap spray Stack pivot Stack pivot (memory protection) Stack-based ROP mitigations(caller) Structured exception handler overwrite(SEHOP) Import address table filtering (IAF) Load library Reflective DLL injection Shellcode VBScript god mode WOW64 Syscall Hollow process DLL jacking Squibdlydoo applocker bypass APC protection (Double pulsar/AtomBombing) Process privilege escalation Active Adversary Mitigations Credential theft protection Code cave prevention Man-in-the-browser protection (Safe browsing) Malicious traffic detection Meterpreter shell detection Anti Ransomware Ransomware file protection (CryptoGuard) Automatic file recovery (CryptGuard) Disk and boot record protection (WipeGuard) Application lockdown Web browsers (including HTA) Web browser plugins Java applications Media applications Office applications Deep Learning Deep learning malware detection Deep learning PUA detection False positive suppression Live protection Respond Investigate Remove Root Cause Analysis Sophos Clean Synchronized Security Deployment Alongside existing AV Integrated with Sophos Endpoint Agent Operating Systems Windows 7 Windows 8 Windows 8.1 Windows 10 Mac OS – Features include CryptoGuard Malicious traffic detection Synchronized security Root cause analysis

20 Complete Next-Gen Endpoint Security
Intercept X * Endpoint Protection Advanced # Endpoint Protection Standard CONTROL PRE-EXECUTION CODE EXECUTION Peripheral Control * Application Control * Web Security *#  Download Reputation *# Genotype Behaviors *# Man-in-the-browser Protection X Anti-Exploit X Active Adversary Mitigation X Coming Soon Firewall Control *# Coming Soon Web Control * Deep Learning File Scanning X Coming Soon Signature File Scanning *# Live Cloud Lookup *# CryptoGuard X WipeGuard X Malicious Traffic Detection X* Data Loss Prevention * Code Behavior Analysis *# HIPS Behavior Analysis *# RESPONSE VISIBILITY Synchronized Security Heartbeat X* Synchronized Application ID X* Coming Soon Synchronized Encryption X* Root Cause Analysis X Logs & Reports X*# Block X*# Quarantine X*# Clean X Dashboard X*# Data sharing API X*# Roll Back X Alerts X*# Central Management X*#

21

Download ppt "Intercepting Advanced Threats"

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
eScan Total Security Suite with Cloud Security

eScan Total Security Suite with Cloud Security
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.
1 Higher Computing Topic 8: Supporting Software Updated 16-6-11.

1 Higher Computing Topic 8: Supporting Software Updated
Synchronized Security Revolutionizing Advanced Threat Protection

Synchronized Security Revolutionizing Advanced Threat Protection
Sky Advanced Threat Prevention

Sky Advanced Threat Prevention
January 07 th 2016 Intelligence Briefing NOT PROTECTIVELY MARKED.

January 07 th 2016 Intelligence Briefing NOT PROTECTIVELY MARKED.
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.

BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
W elcome to our Presentation. Presentation Topic Virus.

W elcome to our Presentation. Presentation Topic Virus.
1 #UPAugusta2016. 2 3 Today’s Topics What are Deadly IT Sins? Know them. Fear them. Fix them. #UPAugusta201 6.

1 #UPAugusta Today’s Topics What are Deadly IT Sins? Know them. Fear them. Fix them. #UPAugusta201 6.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.

Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
Kaspersky Small Office Security INTRODUCING New for 2014!

Kaspersky Small Office Security INTRODUCING New for 2014!
©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.

©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.

Similar presentations

Ads by Google