1
Agenda
Deconstructing the Threat Landscape
What can a hacker do in 3 hours
How Sophos can help
Deconstructing the Threat landscape
Cyber Attack Attribution Map – It sure looks fancy…
4
Who is Attacking?
77% Criminals
15% Espionage
5% Hacktivists
3% Warfare
We even have nations states launching ransomware
Stats – Hackmagedon.com
Continued rapid growth in new malwareBy the end of 2019 over 1 Billion unique malware samples will exist
Total Malware collected over time (AV-Test)
0
100,000,000
200,000,000
300,000,000
400,000,000
500,000,000
600,000,000
700,000,000
800,000,000
900,000,000
20
05
20
06
20
07
20
08
20
09
20
10
20
11
20
12
20
13
20
14
20
15
20
16
20
17
20
18
The Volume of malware is staggering
1990’s - Signature based Anti-Virus
o 1-1 map of ‘checksums’ to malware
o String Scanning
Requires a Victim to report the malware so a new signature can be built
The age of single-use disposable malware
75%
75% of the malicious files SophosLabs detects are found
only within a single organization.
400,000
Sophos Labs receives and processes 400,000 previously unseen malware
samples each day.
2018 Threat Space Change – Kill Chain Compression• (Cyber Kill Chain)
PRE-BREACH POST-BREACH
Harvesting e-mail addresses, conference
information, etc.
With ‘hands on keyboard’ access,
intruders accomplish their
goal
Command channel for remote
manipulation of victim
Coupling exploit with backdoor into
deliverable payload
Delivering weaponized bundle to victim via email,
web …
Leveraging a vulnerability or functionality to execute code on victim’s machine
Installing malware on the asset
Delivery ExploitationRecon WeaponizationActions onObjective
Command& Control
Installation
Firewall, Web andE-mail Filtering,
Sandboxing, User Training
Traditional AV,File Scanning,White Listing,
SEIM, EDR and Anomaly Detection
Emotet
12
“Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.”
Source:
US CERT
https://www.us-cert.gov/ncas/alerts/TA18-201A
First reported in 2014
EMOTET
13
2014
Banking Trojan
“Amongst the most costly and destructive threats to U.S. businesses right now”
U.S. Department for Homeland Security, 2018
2019
Crimeware-as-a-Service
Constant evolution
QakbotDridex IcedID
RyukSandbox Evasion
FirstSeen
Upgraded Evasion ZBotTrickBot
Occasional Attacks
Emotet payloads change constantly
375 388
343
414
208
393
338
270
179214
125
248
751
119 129
0
100
200
300
400
500
600
700
800
# of unique Emotet payload executables seen by SophosLabs
300 new payload executables every day
Usually Starts with Spam
Social engineering and brand spoofing
Emotet’s Goals
16
Spread across network
Skim email addresses and
names
Send spam to infect other
organizations
Download anymalware
payload(s)
Be a smokescreen for targeted ransomware
Steal browser histories,
usernames and passwords
Data breach
Security breach
Reputation damage
Primary infection
Secondary infection
High Impact
Some Good News – Use of Exploit Kits has fallen sharply
19
Fileless AttackCriminal uses
o Infect victim via Malvertisingo Deliver Ransomware, CryptoJackers, Botnets
and Banking Trojans
Exploit kits that are no-longer popular o Blackhole – Arrested (2013)o Angler – Russian crackdown (2016)o Neutrino – Went privateo Sundown – Stopped their service, code leakedo Disdain – Disappearedo Terror – Disappeared
Currently Active Kitso RIGo Grandsofto Magnitudeo Fallout
Tactical shift to malicious documents, macros and scripts
Macro Enabled Documents
20
Some (more) Not So Good News…
22
Legal Cryptomining is an expensive undertaking
23
Native Code Attacks
24
We Want You…To Mine for Us!
Infect devices with cryptominers.
Move laterally, spread infection.
Remove other mining software.
Install bad code for future attacks.
The Rise Of Malicious JavaScript Miners
25
Cryptocurrencies surged in value during
2017
Crooks turned to malicious JavaScript miners to generate
cryptocurrency
When a user surfs to a site or page hosting a malicious JS miner it
just runs
CPU increases. The device slows to a
crawl and gets hotter and hotter
Javascript Miner Example: CoinHive
26
The Grey-Zone of JavaScript Miners
27
“Watch our ads or we’ll use your CPU for cryptomining”
•Legitimate websites want to make money
•What’s the lesser of two evils?
•Legitimate or malicious?
Cyber Crime Revenues
28
Cybercrime will generate at least $1.5 trillion this year
Crime Annual Revenues
Illegal online markets $860 Billion
Trade secret, IP theft $500 Billion
Data Trading $160 Billion
Crime-ware/CaaS $1.6 Billion
Ransomware $1 Billion
Total Cybercrime Revenues $1.5 Trillion
https://www.thesslstore.com/blog/2018-cybercrime-statistics/
Cybercrime Product or Service Price (in US Dollars)
SMS Spoofing $20/month
Custom Spyware $200
Hacker-for-Hire $200+
Malware Exploit Kit $200-$700
Blackhole Exploit Kit $700/month or $1,500/year
Zero-Day Adobe Exploit $30,000
Zero-Day iOS Exploit $250,000
Exploits (90% of breaches involved an exploit)- Leverages a known or unknown vulnerability to execute code
- Often uses multiple exploit techniques to achieve objective
- May never deploy a file to the device and can stay in runtime memoryExploits
Common Infection Payloads
Threat Vectors, Payloads and Techniques
29
32% Malicious Executables- Frequently packed and obfuscated to avoid traditional signature scans
- May be hidden inside legitimate software
- Often deployed by other malware to establish persistence.exe Malware
Infection Vectors
Malicious URLs
PhishingAttacks
RemovableMedia
UnauthorizedApps
70% Browsing
25% Email
Other 5%
45% Weaponized Documents- Leverages authorized application to perform malicious activity
- Often uses existing system tools to complete the attack
- May use malformed content to exploit the legitimate applicationNon-.exe Malware
.doc
.xls
15% Malicious Scripts and HTML- Typically Java Script run in the browser
- Includes MSHTA, Powershell, Cmd scripts ect
- Often used to deliver malicious exe or establish connection to C2Script-based Malware
Exploit Activity
Agenda
Deconstructing the Threat Landscape
What can a hacker do in 3 hours
How Sophos can help
So what can a Hacker do in 3 hours? How about 10 min?
31
RDP credentials for sale
Cost per RDP password - $3.00 to $16.00
RDP Credential stores
32
UAS – Ultimate Anonymity Services
Over 40K RDP passwords for sale at any given time
Many organizations allow RDP
33
• To allow remote access Windows makes it easy
• Turn on RDP
So how did they steal my RDP password?
34
Search the internet for devices that allow RDP authentication
Follow the online video demos on how to brute force RDP with NLBrute
Now that you have an RDP password what
35
Anonymity
• Use the compromised device for other crimes
• Setup decoys on the device to delay investigators
SPAM Platform
• You have a server under your control, use it to send your spam campaign
Simple data theft
• You have full access, so see if they have anything of value on the box
Harvest more credentials
• Setup a key logger and wait for the user to do something interesting like log into a bank account
Crypto mining
• Start harvesting cryptocurrency using their CPU, electricity and cooling
Deploy ransomware
• As admin uninstall the AV
• Check if you can move laterally to get more boxes
• Encrypt and post the ransom note
• Wait for payment
Signup to a ‘Crimeware as a Service’ platform
Satan Services
• Create a ransomware sample for download
• Set your ransom price and payment conditions
• Collect the ransom payments for you
• Provide a decrypt tool if you want one
• Pay you 70% of the proceeds
36
Sign-up with optional two factor authentication
37
The last thing you want is some crook stealing all your hard work by hi-jacking your account
So use two factor authentication
38
Remember the RDP you just bought…
39
Issue your Ransom Note
Preventative Measures
In response to the threat, Sophos suggests taking the following precautions:o If you don't need RDP, make sure it's turned off
o Consider using a virtual private network (VPN) for connections from outside your network
o Use two factor authentication (2FA) wherever you can
o Patch early, Patch often
o After an attack, check to see what the crooks have changed
o Set a lockout policy to limit password guessing attacks
Oh and Deploy Sophos Intercept X Advanced on all devices ☺
40
Agenda
Deconstructing the Threat Landscape
What can a hacker do in 3 hours
How Sophos can help
Synchronized Security
Cloud Intelligence
Sophos Labs
Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions
| 24x7x365, multi-continent operation |Malware Identities | URL Database | Machine Learning | Threat Intelligence | Genotypes | Reputation | Behavioral Rules | APT Rules | App Identities | Anti-Spam | DLP | SophosID | Sandboxing | API Everywhere
Sophos Central
Admin Self Service Partner| Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations
In Cloud On Prem
Next-Gen Endpoint
Mobile
Server
Encryption
Next-Gen Firewall
Wireless
Web
43
EDR and MDR
What are Endpoint Detection and Response Solutions?
44
Gartner definition - The Endpoint Detection and Response Solutions (EDR) market is defined as solutions that record endpoint-system-level behaviors and events (for example user, file, process, registry, memory and network events and store this information either locally on the endpoint or in a centralized database. Databases of known IOCs and behavior analytics techniques are then used to continually search the data to identify early identification of breaches (including insider threats), and to rapidly respond to those attacks. These tools also help with rapid investigation into the scope of attacks, and provide response capability
EndpointData Recorder
Anomaly andThreat Detection
InvestigationTools
Containmentand Recovery
Process activityMemoryNetworkFile systemRegistry
Threat intel feedsConfirmed attacksSuspect executablesAdmin hunting
Situational awarenessWho/What/Where/WhenAssets at riskScope of attack
Activity mapDeep insight
File and Device Forensics
Reputation
Device IsolationQuarantineRemovalDo no harm
Organizations Struggle with Endpoint Detection & Response
INCIDENT RESPONSE Need more talent and hours in the day to respond to incidents
VISIBILITY & DETECTIONBlind spots make it difficult to understand what is happening
ANALYSIS & INVESTIGATIONTeams suffer from a lack of data or are overwhelmed by data
Typical Endpoint Detection & Response Tools Also Struggle
RESOURCE INTENSIVE
Expensive, time consuming, require dedicated staff
DIFFICULT TO USE
EDR can be complex to operate, rely heavily on expert security analysts
PROVIDE LIMITED VALUE
Lack of proactive protection and automated response leads to
overloaded EDR
The result is that Customers are Overwhelmed
How should I respond?
Does it exist anywhere else?
What is this file? Am I under attack?
What should I prioritize?
Has the attack spread?
Do we have the skills?
Are we out of compliance?
Top-rated Endpoint
Protection
Intelligent Endpoint
Detection & Response
Intercept X Advanced with EDR
Consolidate protection and EDR into a single solution
EDR starts with the strongest protection
49
Script-based Malware
Malicious URLs
Phishing Attacks
RemovableMedia
.exe Malware
Non-.exe Malware
UnauthorizedApps
Exploits
Deep Learning Neural Network provides pre-execution malware prevention and is highly scalable, fast, and effective, especially against zero-day threats.
Effective for run-time prevention of exploit-based
malware such as ransomware. Sophos Intercept X thrives with
next-gen exploit prevention capabilities.
Runtime behavior analysis continuously monitors for threat and stops evasive malware before damage occurs.
Knowing the source/reputation of a file, URL, email, etc. can prevent an attack before it happens. Includes technologies such as MTD, download reputation, URL filtering, secure email gateway, etc.
For server or locked-down endpoint environments, app control prevents
unknown / unwanted apps from running.
The only effective defense against in-memory malware.
The only effective way to set policy to ensure removable
media cannot put an organization at risk.
Provides reliable detection of script, document, and macro malware, and an efficient first line of defense against known executable variants.
Synchronized Security
Sophos Central Mgmt..doc.xls.pdf
50
Threat Case Evaluation
Intercept X Advanced – The best protection bar none
Introducing Sophos Managed Detection and Response
51
Going beyond traditional detections, we combine
deterministic and machine learning models to spot suspicious
behaviors and the tactics, techniques and procedures used by
the most advanced adversaries.
High-Fidelity Detections
Combining threat intelligence with newly-discovered Indicators
of Compromise (IoC) and Indicators of Attack (IoA) that are
identified through analyst-led threat hunts, Intercept X
proactively protects customer environments.
Proactive Defense
Our highly-trained team of threat hunters, engineers,
ethical hackers and SOC specialists has your back 24/7,
investigating anomalous behavior and responding to
threats with speed and precision.
Elite Expertise
Key Service Features
You own the decisions and control how and when potential
incidents are escalated, what response actions (if any) you
want us to take, and who should be included in
communications.
Transparency and Control
52
Confirmed threats and suspicious activities are investigated
by human analysts and terminated before a business
disruption or breach
24/7 Threat Hunting
Response actions includes killing processes, deleting registry
keys and malicious files, applying IP blocks, upgrading
applications and isolating devices.
Automated Detection and Response
Detailed notifications on what response and
investigation actions were taken, combined with
easy-to-follow remediation guidance.
Email Notifications
Standard MDR Offering
Keep Intercept X operating at peak performance with
proactive examinations of your operating conditions and
recommended configuration improvements.
Security Health Check
Data from all sensors are ingested and stored based on
event hierarchy and data lifecycle. Incidents and associated
critical events will be stored for periods up to 3 years.
Data Retention
53
Confirmed malicious artifacts or activity (strong signals) are
automatically blocked or terminated, freeing up threat hunters to
aggregate and investigate causal and adjacent events (weak
signals) to discover new Indicators of Attack (IoA) and Indicators
of Compromise (IoC) that previously could not be detected.
Advanced Threat Hunting
Advanced MDR Offering
Collaborate directly with our team during active incidents.
Our security operations team is available around-the-clock
and backed by SophosLabs and support teams spanning 26
locations worldwide.
Direct Collaboration with Responders
More than just “Managed EDR,” Managed Detection and
Response must include event data and telemetry from other
sources—starting with your other Sophos Central products.
Enhanced Telemetry
Providing the most comprehensive level of service, our Advanced MDR offering includes all Standard features, plus the following:
54