Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ￮ Seemingly...

Sophos – Become an IT hero

Dean Shroll – Director Sales Engineering

Arnie Rice – Enterprise Sales Engineer, TOLA

../Downloads/Sophos_-_IT_Hero.mp4

../Downloads/Sophos_-_IT_Hero.mp4

Sophos Snapshot

1985FOUNDEDOXFORD, UK

534.9IN BILLINGS(FY16)

2,700EMPLOYEES(APPX.)

200,000+CUSTOMERS

100M+USERS

HQABINGDON, UK

90+%BEST IN CLASSRENEWAL RATES

20,000+CHANNEL PARTNERS

OEM PARTNERS:

KEY DEVCENTERS

OFFICES

Mission

To be the best in the world at delivering

complete IT security to mid-market enterprises

and the channel that serves them

Strategy

Security only

Focus on mid-market enterprises

Complete security – Made simple

Integrated Next Gen endpoint and network security

Managed and delivered through the cloud

‘Channel First’ sales model

Threat Landscape 2016

400,000 new malware per day

>6800 vulnerabilities per year

>90% of data breaches use

exploits

~24

Traditional Anti-Virus• File Analytics

• Heuristics

• URL Blocking

• Black/White Lists• Signatures• Sandboxing

Data Breaches - The root of the problem

Patch Management• Vulnerability Scanning

• Device Management

• Patch testing and deployment

SIEM and EDR• Anomaly Detection

• Security Operations Center

• Forensic breach assessment teams

Sophos - Intercept• Exploit and Ransomware Prevention

• Incident Response Report

• Root Cause determination

Available Exploit Methods

>70% of companies have been breached

>30% increase from 2015

6

80% 10% 5%

Exposure Prevention

URL BlockingWeb Scripts

Download Rep

Pre-Exec Analytics

Generic MatchingHeuristicsCore Rules

Signatures

Known MalwareMalware Bits

3% 2%

Run-Time

Behavior Analytics

Runtime Behavior

Exploit Detection

Technique Identification

Traditional Malware Advanced Threats

Where Malware Gets StoppedNote: Each Model Standalone is 80-95% Effective

}

This 5% is the SCARY stuff

THIRD PARTY

Malvertising Threat Chain

AD NETWORK

RTB

Ransomware today

What is Ransomware?

• There are different types of ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC.

• Microsoft

Ransomware can: Prevent access Encrypt files Stop certain applications from running

Ransomware normally demands a payment (ransom) in order to restore normal operation.

2 main vectors of attack

• SPAM (via social engineering)￮ Seemingly plausible sender

￮ Has attachment e.g. invoice, parcel delivery note

￮ The attachment contains an embedded macro

￮ When the attachment is opened the macro downloads and then executes the ransomware payload

￮ Used by Locky, TorrentLocker, CTB-Locker

• Exploit kits￮ Black market tools used to easily create attacks that

exploit known or unknown vulnerabilities (zero-day)

￮ Client side vulnerabilities usually target the Web browser

￮ Angler, Neutrino

Many ways to fool/interest you

Exploit Kits

What is an Exploit Kit?

… software kit designed to run on web servers, with the purpose of identifying software vulnerabilities in client machines communicating with it, and discovering and exploiting vulnerabilities to upload and execute malicious code on the client…

…tend to be deployed covertly on legitimate Web sites that have been hacked, unknown to the site operators and visitors.

Exploits As a Service

Initial Request

Victims

Exploit Kit Customers Redirection

MaliciousPayloads

Stats

Landing Page

Tor

Exploit Kit Admin

Exploits

Payloads

Get Current Domain

Get Stats

Update payloads

Management Panel Malware DistributionServers

Gateway Servers

Angler: an all-too-well-known exploit kit

• Grown in notoriety since mid 2014

o The payload is stored in memory and the disk file is deleted

o Detects security products and virtual machines

o Ability to spread many infections: banking Trojans, backdoor, rootkits, ransomware

• Easy to useo Doesn’t require any particular

technical competence

o Available for a few thousand USD on the Dark Web

Chain of infection for Angler exploit kits

1. The victim accesses a compromised web server through a vulnerable browser

2. The compromised web server redirects the connection to an intermediary server

3. In turn, the intermediary server redirects the connection to the attacker’s server which hosts the destination page of the exploit kit

4. The destination page looks for vulnerable plug-ins (Java, Flash, Silverlight) and their version numbers

5. If a vulnerable browser or plug in is detected the exploit kit releases its payload and infects the system.

Is Angler Dead?

1. 2016-06-07T05:29:46Z, when our last hit for Angler was recorded.

2. Started to dip in January 2016 but went back up in February.

3. Russia’s Federal Security Service (FSB) arrested 50 tied to $50M via Lurk malware.

4. Neutrino filling the void?

Anatomy of a ransomware attack

Ransomware

Ransomware Evolves

Anatomy of a ransomware attack

And gone

The ransomware will then delete itself leaving just the encrypted files and ransom notes behind.

Ransom demand

A message appears on the user’s desktop, explaining how a ransom (often in the form of bitcoins) can be paid within a time frame of e.g. 72 hours to enable decryption of the data with the private key that only the attacker’s system has access to.

Encryption of assets

Certain files are then encrypted on the local computer and on all accessible network drives with this public key. Automatic backups of the Windows OS (shadow copies) are often deleted to prevent data recovery.

Contact with the command & control server of the attacker

The ransomware sends information about the infected computer to the C&C server and downloads an individual public key for this computer.

Installation via an exploit kit or spam with an infected attachment

Once installed the ransomware modifies the registry keys

Ransom demands

Paying ransoms

• Payment is made in Bitcoins

• Instructions are available via Tor

• The ransom increases the longer you take to pay

• On payment of the ransom, the public encryption key is provided so you can decrypt your computer files

Common ransomware:

Locky:

• Nickname of a newer strain of ransomware, so-called because it renames all your important files so that they have the extension .locky

• Ransoms vary from BTC 0.5 to BTC 1.00 (1 BTC is worth about $635 as of 10/13/16).

• Started hitting the headlines in early 2016

• Wreaking havoc with at least 400,000 machines affected worldwide

A common Locky attack

• You receive an email containing an attached document.

o The document looks like gobbledegook.o The document advises you to enable

macros “if the data encoding is incorrect.”o The criminals want you to click on the

'Options' button at the top of the page.

• Encrypts the wallet.dat (Bitcoin Wallet)

• Once you click Options, Locky will start to execute on your computer.

• As soon as it is ready to ask you for the ransom, it changes your desktop wallpaper.

• The format of the demand varies, but the results are the same.

Odin (Locky’s Brother)

• You receive an email containing an attached document.

o Order Processed Emailo .zip claiming it is you order receipto Unzip see 2 files (cancellation form, Order details)

• Cancellation Form is comprised of a JavaScript (surprise)

o Executes outside browser so bypass Sandboxingo Downloads Odin Ransomware with no popups

• Encrypts files with an AES random generated key.

• Encrypts each AES key with a RSA public key

• Fault tolerant Encryption

• Changes Wallpaper

RAA

• Targeting Businesses for larger payouts

• Composed entirely of JavaScript

￮ Masquerade as Word (.doc) files

￮ Leverages CyptoJS (open source library)

￮ AES Encryption

• Distributed via email attachment.

￮ Document appears to be corrupt to end user

￮ Meanwhile script scans available drives and uses CryptoJS to encrypt files in the background.

￮ Drops copy of Pony.

￮ Deletes shadow copies

• Ability to create an Encryption key without the need of the Internet

TorrentLocker

• Almost exclusively distributed via sophisticated spam campaigns

￮ High quality emails

￮ Translated into multiple languages (Dutch, Japanese, Korean, Italian, Spanish …)

• Highly targeted geographically

• Peculiarity: Use of the victim machine’s address book to send the ransomware to other machines

• Communicates with its C&C server in HTTPS (POST requests) to make detection more difficult

CTB-Locker variant that attacks websites

• Same name as the ransomware that attacks Windows computers

• Written in PHP

• First attack in the UK on 12th February 2016

• Already many hundreds of sites have been attacked

• Attacks websites by encrypting all files in their repositories

• A password-protected ‘shell’ is installed on most of the affected sites, allowing attackers to connect to the server(s) via a backdoor

• ECC encryption local, no Inet connection required to pull a key

Petya

• Latest variant of Ransomware• Ransoms usually BTC 1.00 (1 BTC is worth $594 as of 9.21.16)

• (1 BTC is worth $635 as of 10.13.16)• Started hitting the headlines in early 2016• Majority of infections across the pond, but starting to see it active in the US• Needs admin privileges to complete infection• More targeted attacks, disguised as a email from Human Resources• Encrypts MBR (Master Boot Record) & MFT (Master File Table)• Creates false Blue Screen of death to force reboot

Mischa (now paired with Petya for double the fun)

• In the event Petya fails due to lack of Admin privileges Mischa if Ransomware Fault Tolerance• No admin privileges needed• Started hitting the headlines in Mid 2016• State Side in full affect• Back to file level encryption• Encrypts .exe files as well as normal targets• Very difficult to clean from infected machine• Ransoms Higher than Petya usually BTC 1.75 – 2

(1 BTC is worth $594 as of 9.21.16)(1 BTC is worth $635 as of 10.13.16)

Why these attacks are so successful

Why are these attacks so successful?

Professional attack technology

• Highly professional approach e.g. usually provides the actual decryption key after payment of the ransom

• Skillful social engineering

• Hide malicious code in technologies that are permitted in many companies e.g. Microsoft Office macros, JavaScript, VBScript, Flash …

Why are these attacks so successful?

Security weaknesses in the affected companies

• Inadequate backup strategy

• Updates and patches are not implemented swiftly enough

• Dangerous user/ rights permissions – more than they need

• Lack of user security training

• Security systems are not implemented or used correctly

• Lack of IT security knowledge

• Conflicting priorities: security vs productivity concerns

Why Is It So Challenging to Address New Threats?

Security

6,787 new vulnerabilities in 201531% increase from 2014

IT Ops

80% of breaches are from known vulnerabilities

193 Days on average to fix vulnerabilities after initial

discover

(Source: Gartner)

(Source: WhiteHat Security)

(Source: Forrester)

Practical steps for protection

Security solution requirements

As a minimum you should:

• Patch, Patch, Patch and oh ya PATCH

• Deploy antivirus protection

• Block spam

• Use a sandboxing solution

• Block risky file extensions (javascript, vbscript, chm etc…)

• Password protect archive files

• Use URL filtering (block access to C&C servers)

• Use HTTPS filtering

• Use HIPS (host intrusion prevention service)

• Activate your client firewalls

• Use a whitelisting solution

Additional steps

• Employee awareness & trainingo Sophos IT Security Dos and Don’ts

o Sophos Threatsaurus

• Segment the company networko NAC solutions ensure only known computers can access the network

o Separate functional areas within a firewall e.g. client and server networks

• Encrypt company datao It doesn’t stop the ransomware but prevents damage caused by sensitive

documents getting into the wrong hands

• Use security analysis toolso If an infection does occur, it’s vital that the source is identified and contained

ASAP.

Fighting back: TeslaCrypt

Cryptowall costs users $325M in 2015 –up to $1.1B in 2016

o 2 out of 3 infections driven by phishing attack

o Delivered by drive by exploit kits

o 100’s of thousands of victims world wide

More variants – Locky and Samaso Now for MAC and Windows users

Targeting bigger Phish o $17K payment from California

hospital

Ransomware

CryptoGuard

• Simple and Comprehensive

• Universally prevents spontaneous encryption of data

• Notifies end user on rapid encryption events

• Rollback to pre-encrypted state CRYPTOGUARD

CryptoGuardAvailable NOW

Root Cause Analysis

45

How?

What?

Who?

When?

Why?

Where?

Where did it get in? Should we contact a Regulator?

What damage has been done? Did they steal

important data?

Incident Response – Understanding the activity

Identified Event

Copied from USB device

Fred.pdf created

•Low rep site

•Accessed via acrobat.exe

Fred.com accessed

•Written by iExplore.exe

•From URL fred.com

Bob.exe Created

•Bob.exe reached out to C2 site

•HIPS cleaned Bob.exe

File Infection

Event

TimeRoot Cause Attribution–PDF delivered from USBRecommended Action–Leverage Device Control

Threat Chain –full list of IOCs from the Sophos Data Recorder including process, registry, file, network activityTimeline of events –View the order of operations from Root Cause to detected Malicious activity

•Written by iExplore.exe

•From URL fred.com

Datacollector.exe Created

At Risk Assets –Identification of all productivity documents related to the complete threat chain

Branched Threat Chains – Threat Chain includes suspect activity related to the root cause

Sophos Data Recorder

Operating Systems• Windows

• MAC OS in early 2017

Capacity• Up to 30 days of activity• 100 MB• Local to the device• Under 0.5% CPU

utilization

Understanding the Root Cause of attackFirst – keep a log of what the endpoint has been doing

Memory

Registry

Network

File system

Process activity

Compete protection: Enduser and Network

Sophos CentralEn

du

ser

Net

wo

rk

Next-Gen Firewall /UTM

Web Security

Email Security

Wireless Security

SafeGuardEncryption

Mobile Control

Next-Gen Endpoint Protection

Server Security

Secure the Endpoint (PC/Mac)

Next Gen Endpoint security to prevent, detect, investigate

and remediate

Secure the Mobile DeviceSecure smartphones and tablets just like any other endpoint

Secure the Servers Protection optimized for server

environment (physical or virtual): fast, effective, controlled

Protect the DataSimple-to-use encryption for a

highly effective last line of defense against data loss

Secure the PerimeterUltimate enterprise firewall performance, security, and

control.

Secure the WebAdvanced protection, control, and insights that’s effective,

affordable, and easy.

Secure the EmailEmail threats and phishing

attacks don’t stand a chance.

Secure the WirelessSimple, secure Wi-Fi

connection.

Sophos Sandstorm

How Sophos Sandstorm works

1. If the file has known malware it’s blocked immediately. If it’s otherwise suspicious, and hasn’t been seen before, it will be sent to the sandbox for further analysis. When web browsing, users see a patience message while they wait.

2. The file is detonated in the safe confines of the sandbox and monitored for malicious behaviour. A decision to allow or block the file will be sent to the security solution once the analysis is complete.

3. A detailed report is provided for each file analyzed.

Advanced Threat Defense Made Simple

Secure Web Gateway

Secure Email Gateway

Unified Threat Management

Next-GenFirewall

Security as a System

Synchronized SecurityIntegrated, context-aware security where Enduser and Network technology share meaningful information to deliver better protection

Security must be comprehensiveThe capabilities required to fully satisfy customer need

Security can be made simplePlatform, deployment, licensing, user experience

Security is more effective as a systemNew possibilities through technology cooperation

Next Gen Enduser Security

Next Gen Network Security

Sophos Cloud

heartbeat

SOPHOS LABS

“No other company is close to delivering this type of synchronized and integrated communication between endpoint and

network security products.”

Chris Christiansen, VP of Security Products, IDC

Allows Partners to manage multiple customer installations

Endpoint Protection

Email Security

Web Gateway

Server Protection

Encryption

Mobile Protection

Wireless Allows users to customize security status and notifications

Sophos Central

Partner Dashboard Admin Self Service

Robust Innovation Pipeline for 2016/2017

• Unified Endpoint Management• Security Heartbeat• Sophos Central managed Full EMM• iOS Mobile Security

• Hyper-V protection• AWS Auto-scaling• MTD for Linux, Windows• Security Heartbeat

• Next Gen Endpoint: Exploit Prevention, Anti-Ransomware, Root Cause Analysis

• Sophos Clean• Role-based Administration in Sophos Central

• Sophos UTM 9.5• XG Firewall and Firewall Manager v16• New Synchronized Security Use Cases• New XG Series Appliances

• Global Sophos Central managed SWG• Next-Gen Web Protection • Hybrid On-Prem and Cloud Model • Simplified licensing and pricing

ENDPOINT

MOBILE

SERVER

UTM/NGFW

WEB

• Synchronized Encryption• Sophos Central managed Full Disk Encryption• Multiple Key Support

ENCRYPTION

• Sophos Central managed Wireless• New Sophos Secure Access Points• New XG 1x Series Wireless AppliancesWIRELESS

• Sophos Central managed Sophos Email• Time of Click Protection• New Anti-Spam Engine• New Sophos Email AppliancesEMAIL

This Is Next-Gen IT Security

Melissa Virus

1999

$1.2B

Love LetterWorm

$15B

1998

$2.3B

2007

$800M

2014

LockyRansomware

$1.1B

2016

FinFischerSpyware

2003

$780M

Exploit as aService

$500M

2015


The Evolution of ThreatsFrom Malware to Exploits


The Evolution of SecurityFrom Anti-Malware to Anti-Exploit

Exposure Prevention

URL BlockingWeb/App/Dev

CtrlDownload Rep

Pre-Exec Analytics

Generic MatchingHeuristicsCore Rules

File Scanning

Known MalwareMalware Bits

Run-Time

Behavior Analytics

Runtime Behavior

Exploit Detection

Technique Identification

Introducing

Introducing Sophos Intercept X

ADVANCED

MALWARE

ZERO DAYEXPLOITS

LIMITEDVISIBILITY

Anti-Exploit

Prevent Exploit Techniques

• Signatureless Exploit Prevention

• Protects Patient-Zero / Zero-Day

• Blocks Memory-Resident Attacks

• Tiny Footprint & Low False Positives

No User/Performance ImpactNo File Scanning

No Signatures

Automated Incident Response

• IT Friendly Incident Response

• Process Threat Chain Visualization

• Prescriptive Remediation Guidance

• Advanced Malware Clean

Root-Cause Analysis

Faster Incident ResponseRoot-Cause VisualizationForensic Strength Clean

Detect Next-Gen Threats

• Stops Malicious Encryption

• Behavior Based Conviction

• Automatically Reverts Affected Files

• Identifies source of Attack

Anti-Ransomware

Prevent Ransomware AttacksRoll-Back Changes

Attack Chain Analysis

Intercepting Exploits

Exploit Prevention

• Monitors processes for attempted use of exploit techniques e.g Buffer overflow, code injection, stack pivot and others

• Blocks when technique is attempted

• Malware is prevented from leveraging vulnerabilities

New EndUser Agent UI New Admin UI

Exploit Protection against Stack Attacks, Return-Oriented Programing (ROP), Heap, Error Handling Overwrites,.DLL Hijacking, and more…

Sophos CleanCompetitive Displacement. Malware Removal. Vulnerability Assessment.

Seed New Accounts• Complimentary to Competitive AV

• View what the others leave behind

• 30-Day Free License

Removes Threats• Deep System Inspection

• Removes Malware Remnants

• Full Quarantine / Removal

• Effective Breach Remediation

On-Demand Assessment• Identifies Risky Files / Processes

• Constantly Refreshed Database

• Provides Additional Confidence

• Command-Line Capable

Sophos Central

Cloud Intelligence

Sophos Labs




Mobile

Server

Encryption

Wireless

Email

Web

In Cloud On Prem

Endpoint/Next-Gen EndpointUTM/Next-Gen Firewall


Heartbeat

63

Sophos Central

Cloud Intelligence

Sophos Labs




In Cloud On Prem

Endpoint/Next-Gen EndpointUTM/Next-Gen Firewall

Extending Security Heartbeat™

Mobile

Server

Wireless

Email

Web

Security Heartbeat™

Encryption


Sophos Central

Cloud Intelligence

Sophos Labs





Mobile

Server

Encryption


Wireless

Email

Web

In Cloud On Prem

Intercept X in 3 min……

67

https://player.vimeo.com/video/180040392?width=800&height=450&iframe=true&portrait=0 Sophos Intercept X: Crypto Guard Anti Ransomware in 60 sec

https://player.vimeo.com/video/180040393?width=800&height=450&iframe=true&portrait=0 Sophos Intercept X: Root Cause Analyst (RCA) in 2 minutes

https://player.vimeo.com/video/180172281?width=800&height=450&iframe=true&portrait=0 Sophos Intercept X: Signature Exploit Prevention in 60 seconds

../Downloads/Sophos_Intercept_X__CryptoGuard_Anti-Ransomware_in_60_Seconds.mp4

../Downloads/Sophos_Intercept_X__CryptoGuard_Anti-Ransomware_in_60_Seconds.mp4

https://player.vimeo.com/video/180040392?width=800&height=450&iframe=true&portrait=0

../Downloads/Sophos_Intercept_X__Root-Cause_Analysis__RCA__in_Two_Minutes.mp4

../Downloads/Sophos_Intercept_X__Root-Cause_Analysis__RCA__in_Two_Minutes.mp4


../Downloads/Sophos_Intercept_X__Signatureless_Exploit_Prevention_in_60_Seconds.mp4

../Downloads/Sophos_Intercept_X__Signatureless_Exploit_Prevention_in_60_Seconds.mp4


Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ￮ Seemingly...

Documents

Transcript of Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ￮ Seemingly...