1

Agenda

Deconstructing the Threat Landscape

What can a hacker do in 3 hours

How Sophos can help

Deconstructing the Threat landscape

Cyber Attack Attribution Map – It sure looks fancy…

4

Who is Attacking?

77% Criminals

15% Espionage

5% Hacktivists

3% Warfare

We even have nations states launching ransomware

Stats – Hackmagedon.com

Continued rapid growth in new malwareBy the end of 2019 over 1 Billion unique malware samples will exist

Total Malware collected over time (AV-Test)

0

100,000,000

200,000,000

300,000,000

400,000,000

500,000,000

600,000,000

700,000,000

800,000,000

900,000,000

20

05

20

06

20

07

20

08

20

09

20

10

20

11

20

12

20

13

20

14

20

15

20

16

20

17

20

18

The Volume of malware is staggering

1990’s - Signature based Anti-Virus

o 1-1 map of ‘checksums’ to malware

o String Scanning

Requires a Victim to report the malware so a new signature can be built

The age of single-use disposable malware

75%

75% of the malicious files SophosLabs detects are found

only within a single organization.

400,000

Sophos Labs receives and processes 400,000 previously unseen malware

samples each day.

2018 Threat Space Change – Kill Chain Compression• (Cyber Kill Chain)

PRE-BREACH POST-BREACH

Harvesting e-mail addresses, conference

information, etc.

With ‘hands on keyboard’ access,

intruders accomplish their

goal

Command channel for remote

manipulation of victim

Coupling exploit with backdoor into

deliverable payload

Delivering weaponized bundle to victim via email,

web …

Leveraging a vulnerability or functionality to execute code on victim’s machine

Installing malware on the asset

Delivery ExploitationRecon WeaponizationActions onObjective

Command& Control

Installation

Firewall, Web andE-mail Filtering,

Sandboxing, User Training

Traditional AV,File Scanning,White Listing,

SEIM, EDR and Anomaly Detection

Emotet

12

“Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.”

Source:

US CERT

https://www.us-cert.gov/ncas/alerts/TA18-201A

First reported in 2014

EMOTET

13

2014

Banking Trojan

“Amongst the most costly and destructive threats to U.S. businesses right now”

U.S. Department for Homeland Security, 2018

2019

Crimeware-as-a-Service

Constant evolution

QakbotDridex IcedID

RyukSandbox Evasion

FirstSeen

Upgraded Evasion ZBotTrickBot

Occasional Attacks

Emotet payloads change constantly

375 388

343

414

208

393

338

270

179214

125

248

751

119 129

0

100

200

300

400

500

600

700

800

# of unique Emotet payload executables seen by SophosLabs

300 new payload executables every day

Usually Starts with Spam

Social engineering and brand spoofing

Emotet’s Goals

16

Spread across network

Skim email addresses and

names

Send spam to infect other

organizations

Download anymalware

payload(s)

Be a smokescreen for targeted ransomware

Steal browser histories,

usernames and passwords

Data breach

Security breach

Reputation damage

Primary infection

Secondary infection

High Impact

Some Good News – Use of Exploit Kits has fallen sharply

19

Fileless AttackCriminal uses

o Infect victim via Malvertisingo Deliver Ransomware, CryptoJackers, Botnets

and Banking Trojans

Exploit kits that are no-longer popular o Blackhole – Arrested (2013)o Angler – Russian crackdown (2016)o Neutrino – Went privateo Sundown – Stopped their service, code leakedo Disdain – Disappearedo Terror – Disappeared

Currently Active Kitso RIGo Grandsofto Magnitudeo Fallout

Tactical shift to malicious documents, macros and scripts

Macro Enabled Documents

20

Some (more) Not So Good News…

22

Legal Cryptomining is an expensive undertaking

23

Native Code Attacks

24

We Want You…To Mine for Us!

Infect devices with cryptominers.

Move laterally, spread infection.

Remove other mining software.

Install bad code for future attacks.

The Rise Of Malicious JavaScript Miners

25

Cryptocurrencies surged in value during

2017

Crooks turned to malicious JavaScript miners to generate

cryptocurrency

When a user surfs to a site or page hosting a malicious JS miner it

just runs

CPU increases. The device slows to a

crawl and gets hotter and hotter

Javascript Miner Example: CoinHive

26

The Grey-Zone of JavaScript Miners

27

“Watch our ads or we’ll use your CPU for cryptomining”

•Legitimate websites want to make money

•What’s the lesser of two evils?

•Legitimate or malicious?

Cyber Crime Revenues

28

Cybercrime will generate at least $1.5 trillion this year

Crime Annual Revenues

Illegal online markets $860 Billion

Trade secret, IP theft $500 Billion

Data Trading $160 Billion

Crime-ware/CaaS $1.6 Billion

Ransomware $1 Billion

Total Cybercrime Revenues $1.5 Trillion

https://www.thesslstore.com/blog/2018-cybercrime-statistics/

Cybercrime Product or Service Price (in US Dollars)

SMS Spoofing $20/month

Custom Spyware $200

Hacker-for-Hire $200+

Malware Exploit Kit $200-$700

Blackhole Exploit Kit $700/month or $1,500/year

Zero-Day Adobe Exploit $30,000

Zero-Day iOS Exploit $250,000

Exploits (90% of breaches involved an exploit)- Leverages a known or unknown vulnerability to execute code

- Often uses multiple exploit techniques to achieve objective

- May never deploy a file to the device and can stay in runtime memoryExploits

Common Infection Payloads

Threat Vectors, Payloads and Techniques

29

32% Malicious Executables- Frequently packed and obfuscated to avoid traditional signature scans

- May be hidden inside legitimate software

- Often deployed by other malware to establish persistence.exe Malware

Infection Vectors

Malicious URLs

PhishingAttacks

RemovableMedia

UnauthorizedApps

70% Browsing

25% Email

Other 5%

45% Weaponized Documents- Leverages authorized application to perform malicious activity

- Often uses existing system tools to complete the attack

- May use malformed content to exploit the legitimate applicationNon-.exe Malware

.doc

.xls

.pdf

15% Malicious Scripts and HTML- Typically Java Script run in the browser

- Includes MSHTA, Powershell, Cmd scripts ect

- Often used to deliver malicious exe or establish connection to C2Script-based Malware

Exploit Activity

Agenda

Deconstructing the Threat Landscape

What can a hacker do in 3 hours

How Sophos can help

So what can a Hacker do in 3 hours? How about 10 min?

31

RDP credentials for sale

Cost per RDP password - $3.00 to $16.00

RDP Credential stores

32

UAS – Ultimate Anonymity Services

Over 40K RDP passwords for sale at any given time

Many organizations allow RDP

33

• To allow remote access Windows makes it easy

• Turn on RDP

So how did they steal my RDP password?

34

Search the internet for devices that allow RDP authentication

Follow the online video demos on how to brute force RDP with NLBrute

Now that you have an RDP password what

35

Anonymity

• Use the compromised device for other crimes

• Setup decoys on the device to delay investigators

SPAM Platform

• You have a server under your control, use it to send your spam campaign

Simple data theft

• You have full access, so see if they have anything of value on the box

Harvest more credentials

• Setup a key logger and wait for the user to do something interesting like log into a bank account

Crypto mining

• Start harvesting cryptocurrency using their CPU, electricity and cooling

Deploy ransomware

• As admin uninstall the AV

• Check if you can move laterally to get more boxes

• Encrypt and post the ransom note

• Wait for payment

Signup to a ‘Crimeware as a Service’ platform

Satan Services

• Create a ransomware sample for download

• Set your ransom price and payment conditions

• Collect the ransom payments for you

• Provide a decrypt tool if you want one

• Pay you 70% of the proceeds

36

Sign-up with optional two factor authentication

37

The last thing you want is some crook stealing all your hard work by hi-jacking your account

So use two factor authentication

38

Remember the RDP you just bought…

39

Issue your Ransom Note

Preventative Measures

In response to the threat, Sophos suggests taking the following precautions:o If you don't need RDP, make sure it's turned off

o Consider using a virtual private network (VPN) for connections from outside your network

o Use two factor authentication (2FA) wherever you can

o Patch early, Patch often

o After an attack, check to see what the crooks have changed

o Set a lockout policy to limit password guessing attacks

Oh and Deploy Sophos Intercept X Advanced on all devices ☺

40

Agenda

Deconstructing the Threat Landscape

What can a hacker do in 3 hours

How Sophos can help

Synchronized Security

Cloud Intelligence

Sophos Labs

Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions

| 24x7x365, multi-continent operation |Malware Identities | URL Database | Machine Learning | Threat Intelligence | Genotypes | Reputation | Behavioral Rules | APT Rules | App Identities | Anti-Spam | DLP | SophosID | Sandboxing | API Everywhere

Sophos Central

Admin Self Service Partner| Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations

In Cloud On Prem

Next-Gen Endpoint

Mobile

Server

Encryption

Next-Gen Firewall

Wireless

Email

Web

43

EDR and MDR

What are Endpoint Detection and Response Solutions?

44

Gartner definition - The Endpoint Detection and Response Solutions (EDR) market is defined as solutions that record endpoint-system-level behaviors and events (for example user, file, process, registry, memory and network events and store this information either locally on the endpoint or in a centralized database. Databases of known IOCs and behavior analytics techniques are then used to continually search the data to identify early identification of breaches (including insider threats), and to rapidly respond to those attacks. These tools also help with rapid investigation into the scope of attacks, and provide response capability

EndpointData Recorder

Anomaly andThreat Detection

InvestigationTools

Containmentand Recovery

Process activityMemoryNetworkFile systemRegistry

Threat intel feedsConfirmed attacksSuspect executablesAdmin hunting

Situational awarenessWho/What/Where/WhenAssets at riskScope of attack

Activity mapDeep insight

File and Device Forensics

Reputation

Device IsolationQuarantineRemovalDo no harm

Organizations Struggle with Endpoint Detection & Response

INCIDENT RESPONSE Need more talent and hours in the day to respond to incidents

VISIBILITY & DETECTIONBlind spots make it difficult to understand what is happening

ANALYSIS & INVESTIGATIONTeams suffer from a lack of data or are overwhelmed by data

Typical Endpoint Detection & Response Tools Also Struggle

RESOURCE INTENSIVE

Expensive, time consuming, require dedicated staff

DIFFICULT TO USE

EDR can be complex to operate, rely heavily on expert security analysts

PROVIDE LIMITED VALUE

Lack of proactive protection and automated response leads to

overloaded EDR

The result is that Customers are Overwhelmed

How should I respond?

Does it exist anywhere else?

What is this file? Am I under attack?

What should I prioritize?

Has the attack spread?

Do we have the skills?

Are we out of compliance?

Top-rated Endpoint

Protection

Intelligent Endpoint

Detection & Response

Intercept X Advanced with EDR

Consolidate protection and EDR into a single solution

EDR starts with the strongest protection

49

Script-based Malware

Malicious URLs

Phishing Attacks

RemovableMedia

.exe Malware

Non-.exe Malware

UnauthorizedApps

Exploits

Deep Learning Neural Network provides pre-execution malware prevention and is highly scalable, fast, and effective, especially against zero-day threats.

Effective for run-time prevention of exploit-based

malware such as ransomware. Sophos Intercept X thrives with

next-gen exploit prevention capabilities.

Runtime behavior analysis continuously monitors for threat and stops evasive malware before damage occurs.

Knowing the source/reputation of a file, URL, email, etc. can prevent an attack before it happens. Includes technologies such as MTD, download reputation, URL filtering, secure email gateway, etc.

For server or locked-down endpoint environments, app control prevents

unknown / unwanted apps from running.

The only effective defense against in-memory malware.

The only effective way to set policy to ensure removable

media cannot put an organization at risk.

Provides reliable detection of script, document, and macro malware, and an efficient first line of defense against known executable variants.

Synchronized Security

Sophos Central Mgmt..doc.xls.pdf

50

Threat Case Evaluation

Intercept X Advanced – The best protection bar none

Introducing Sophos Managed Detection and Response

51

Going beyond traditional detections, we combine

deterministic and machine learning models to spot suspicious

behaviors and the tactics, techniques and procedures used by

the most advanced adversaries.

High-Fidelity Detections

Combining threat intelligence with newly-discovered Indicators

of Compromise (IoC) and Indicators of Attack (IoA) that are

identified through analyst-led threat hunts, Intercept X

proactively protects customer environments.

Proactive Defense

Our highly-trained team of threat hunters, engineers,

ethical hackers and SOC specialists has your back 24/7,

investigating anomalous behavior and responding to

threats with speed and precision.

Elite Expertise

Key Service Features

You own the decisions and control how and when potential

incidents are escalated, what response actions (if any) you

want us to take, and who should be included in

communications.

Transparency and Control

52

Confirmed threats and suspicious activities are investigated

by human analysts and terminated before a business

disruption or breach

24/7 Threat Hunting

Response actions includes killing processes, deleting registry

keys and malicious files, applying IP blocks, upgrading

applications and isolating devices.

Automated Detection and Response

Detailed notifications on what response and

investigation actions were taken, combined with

easy-to-follow remediation guidance.

Email Notifications

Standard MDR Offering

Keep Intercept X operating at peak performance with

proactive examinations of your operating conditions and

recommended configuration improvements.

Security Health Check

Data from all sensors are ingested and stored based on

event hierarchy and data lifecycle. Incidents and associated

critical events will be stored for periods up to 3 years.

Data Retention

53

Confirmed malicious artifacts or activity (strong signals) are

automatically blocked or terminated, freeing up threat hunters to

aggregate and investigate causal and adjacent events (weak

signals) to discover new Indicators of Attack (IoA) and Indicators

of Compromise (IoC) that previously could not be detected.

Advanced Threat Hunting

Advanced MDR Offering

Collaborate directly with our team during active incidents.

Our security operations team is available around-the-clock

and backed by SophosLabs and support teams spanning 26

locations worldwide.

Direct Collaboration with Responders

More than just “Managed EDR,” Managed Detection and

Response must include event data and telemetry from other

sources—starting with your other Sophos Central products.

Enhanced Telemetry

Providing the most comprehensive level of service, our Advanced MDR offering includes all Standard features, plus the following:

54