WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid - 20160602
Transcript of WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid - 20160602
Cryptolocker & het gevecht tegen IT’s grootste nieuwe vijand
Martijn NielenSr. Sales Engineer WatchGuard
Houston, we have a problem!• « My antivirus and IPS are updated but I got infected anyway »
First reason: « Zero Day »• The vulnerabilty is still unkown• Or the fix is still not available
Second reason: Technology changes, including hackers…
• “Antivirus is Dead” Brian Dye Senior VP of Symantec
*Malwise - An Effective and Efficient Classification System for Packed and Polymorphic Malware, Deakin University, Victoria, June 2013
Nearly 88% of malware morphs to evade signature-based antivirus solutions*
Antivirus can’t keep up
AV Vendor Review
7
http://labs.lastline.com/lastline-labs-av-isnt-dead-it-just-cant-keep-up
• Average of 2 days for at least one AV scanner to detect what was not detected on day 0
• Detection rates increase to 61% after two weeks• After a year 10% of scanners still do not detect some malware• The 1-perecentile of malware least likely to be detected was undetected by
a majority of AV scanners for Months• In some cases the malware was never detected
Advanced Persistent Threat (APT)
• Nation-State techniques now used for financial gain• Antivirus can’t keep up. New malware has been created as a
variant of existing malware to avoid detection by classic techniques
8
9
Evolution of APTs
Today, normal criminal malware exploits the same advanced tactics as nation-state APTs.
Every organization is at risk of advanced threats!
Zeus copies Stuxnet 0day
Criminals use 0day malware (Cryptolocker)
Zeus uses stolen certificates
Criminal spear phishing
Criminal watering hole attacks
10
« Cryptolockers »
APT or not APT…
11
13
Simple Threats
Opp
ortu
nist
ic A
ttack
s
APT Solutions
AntivirusSolutions
Targ
eted
Atta
cks
Packing
Sophisticated Threats
Plain Virus
Poly-morphic
C&C
Fluxing
PersistentThreats
EvasiveThreats
Malware (r)evolution
AV OS / Application SandBox
Malware And Virus Detection
Zero Day Threat Curve
Sandbox
OS – XP /Win 7
Hypervisor
Server
Process Emulation
XP /Win 7Functions
XP /Win 7Functions
XP /Win 7Functions
XP /Win 7Functions
CPU Memory
Server
System Emulation
OS – XP /Win 7
CPU / Memory
Server
High FidelityLow Visibility
Low FidelityHigh Visibility
High FidelityHigh Visibility
Advanced Malware Analysis
1st 2nd 3rd
APT Blocker with Code Emulation• Evasion detection is critical
17
Zero Day Malware
Stalling
Looping
Malware?
Exploit
Key logger C&C Network Traffic
Inaction
• Malware Checks the Environment• Multi-Path execution
• Next step based on results
• Stalling / Looping • Wait long enough for analysis to time out
Malware Checks the Environment Stalling / Looping
Multi-Path execution Wait long enough for analysis to time out
Next step based on results
Dynamic evasions
AntiVirus
URL Filtering
AntiSpam
IPS
App Control
Data Loss Prevention
APT
PlatformWatchGuard Management
WatchGuard Best of Breed Defense in Depth
Lastline recommended by NSS: 2015 BDS Security Value Map
23
Unified Threat Management Platform Security Eco System
24
Default Threat Protection
Proxy – Web, Email, FTP
Application Control / IPS
Webblocker / RED / SpamBlocker
AV - Malware APTBlocker
25
APT Blocker: Configuration
APTBlocker Local Cache
Remote “Cache”
File inspection
APT Blocker
Did you get Locky ?
http://watchguardsecuritycenter.comOnce I verified that many of our UTM’s security services could detect Locky, I ran through one last test… I personally tried to download the malicious file “Rechnung-263-0779.xls” from my webmail. I’ve configured my WatchGuard Firebox with HTTPS Deep Inspection. This feature allows WatchGuard’s security services, such as GAV and Intrusion Prevention Service (IPS), to run security scans even on encrypted web traffic, like the webmail I was using to download this ransomware. Despite the encrypted webmail connection, our Firebox detected and blocked the Locky invoice file with the GAV service. It was unable to reach my workstation.As you can see, WatchGuard XTM and Firebox appliances have several features that can help prevent ransomware like Locky. However, these protections only work if you turn them on and configure them properly. If you want to keep Locky off your network , I highly recommend you read the Knowledgebase Article “How to prevent ransomware and other malicious malware with your Firebox” — Jonas Spieckermann
You need to enable HTTPS DPI on your Firebox!
34
An APT solution should• not be dependent on (AV) signatures• not depend on traditional sandbox technology• detect evasions• take prompt actions in real-time
35
36
Advanced Malware in Security Dashboard
Visibility in WatchGuard Dimension
True APT’s – even obvious from the Dutch file-names• Advanced: trigger interest• Targeted e.g. containing
the name of the organization
• Threats: True APT’s • Watering holes –
“Eucharistieviering”, Dutch
• Chain-of-Trust: by using ‘religious activities’ and social engineering based factors
• Non-profit organizations targeted
38
40