SlideShare a Scribd company logo
1 of 33
Download to read offline
FIGHTING BACK
Harm van Koppen
DCM
May 2017
Jos Overbeeke
Sales Engineer
Threat Landscape 2017
Traditional Malware Advanced Threats
The Evolution of Security
From Anti-Malware to Anti-Exploit
Exposure
Prevention
URL Blocking
Web/App/Dev Ctrl
Download Rep
Pre-Exec
Analytics
Generic Matching
Heuristics
Core Rules
File
Scanning
Known Malware
Malware Bits
Run-Time
Behavior Analytics
Runtime Behavior
Exploit
Detection
Technique
Identification
Exploiting Software Vulnerabilities
• Exploit Kits
o Higher level of effort / cost
o No user interaction required
o Better chance of success
https://blogs.technet.microsoft.com/mmpc/2017/01/23/exploit-kits-remain-a-
cybercrime-staple-against-outdated-software-2016-threat-landscape-review-series/
6435
So far in 2017
NIST National Vulnerability Database
https://beta.nvd.nist.gov/vuln-metrics/visualizations/cvss-severity-distribution-over-time
Reported Vulnerabilities By Year
Exploits in Kits (January 2017)Ransomware
Overview
Source: https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml#
Last Friday …
The Drop
HTA
EXE
THIRD PARTY
Malvertising Threat Chain
AD NETWORK
RTB
No Site Is Immune
11
Anatomy of a ransomware attack
Exploits As a Service
Initial Request
Victims
Exploit Kit Customers Redirection
Malicious
Payloads
Stats
Landing Page
Tor
Exploit Kit Admin
Exploits
Payloads
Get Current Domain
Get Stats
Update payloads
Management Panel Malware Distribution
Servers
Gateway Servers
Raging Ransomware Roadshow May
14
Why these attacks are so successful
Why are theseattacks sosuccessful?
Professional attack technology
• Highly professional approach e.g. usually provides the actual decryption
key after payment of the ransom
• Skillful social engineering
• Hide malicious code in technologies that are permitted in many companies
e.g. Microsoft Office macros, JavaScript, VBScript, Flash …
Why are theseattacks sosuccessful?
Security weaknesses in the affected companies
• Inadequate backup strategy
• Updates and patches are not implemented swiftly enough
• Dangerous user/ rights permissions – more than they need
• Lack of user security training
• Security systems are not implemented or used correctly
• Lack of IT security knowledge
• Conflicting priorities: security vs productivity concerns
HAVE A PLAN
ENDPOINT
Backup
Patch Early, Patch Often
PowerShell, macros, wscript, js, hta
Group policy controls
Redirect to notepad
Show file extensions – myfile.pdf.js
Remove excess apps & permissions
Review Endpoint Protection Policies
Execution
• Education, Education, Education
o Sophos Phish Threat
o Use real world samples
o Make it fun
o Every click is an opportunity to learn
• Make it easy to report phishing
• Look for risky behaviour
SECURE THE USER
How Sophos can help
21
Introducing Sophos Intercept X
ADVANCED
MALWARE
ZERO DAY
EXPLOITS
LIMITED
VISIBILITY
Anti-Exploit
Prevent Exploit Techniques
• Signatureless Exploit Prevention
• Protects Patient-Zero / Zero-Day
• Blocks Memory-Resident Attacks
• Tiny Footprint & Low False Positives
No User/Performance Impact
No File Scanning
No Signatures
Automated Incident Response
• IT Friendly Incident Response
• Process Threat Chain Visualization
• Prescriptive Remediation Guidance
• Advanced Malware Clean
Root-Cause Analysis
Faster Incident Response
Root-Cause Visualization
Forensic Strength Clean
Detect Next-Gen Threats
• Stops Malicious Encryption
• Behavior Based Conviction
• Automatically Reverts Affected Files
• Identifies source of Attack
Anti-Ransomware
Prevent Ransomware Attacks
Roll-Back Changes
Attack Chain Analysis
Heap Spray Use after Free Stack Pivot ROP
Call OS
function
PREPARATION
• Most exploit-based attacks consist of 2 or more techniques
• Exploit techniques do not change and are mandatory to exploit existing and
future software vulnerabilities
The Memory Drop
Sailing past file scanning AV
TRIGGERING GAIN CONTROL
CIRCUMVENT
(DEP) POST PAYLOAD DROP
Memory
Corruption
In-Memory
On Disk
Ransomware
Activity
Antivirus
Intercepting Exploit Techniques (Overview)
Stack Pivot
Stops abuse of the stack pointer
Stack Exec
Stops attacker’ code on the stack
Stack-based ROP Mitigations
Stops standard Return-Oriented Programming attacks
Branch-based ROP Mitigations (Hardware Assisted)
Stops advanced Return-Oriented Programming attacks
Import Address Table Filtering (IAF) (Hardware Assisted)
Stops attackers that lookup API addresses in the IAT
SEHOP
Protects against overwriting of the structured exception handler
Load Library
Prevents loading of libraries from UNC paths
Reflective DLL Injection
Prevents loading of a library from memory into a host process
Shellcode
Stops code execution in the presence of exploit shellcode
VBScript God Mode
Prevents abuse of VBScript in IE to execute malicious code
WoW64
Stops attacks that address 64-bit function from WoW64 (32-bit) process
Syscall
Stops attackers that attempt to bypass security hooks
Enforce Data Execution Prevention (DEP)
Prevents abuse of buffer overflows
Mandatory Address Space Layout Randomization (ASLR)
Prevents predictable code locations
Bottom Up ASLR
Improved code location randomization
Null Page (Null Dereference Protection)
Stops exploits that jump via page 0
Heap Spray Allocation
Pre-allocated common memory areas to block example attacks
Dynamic Heap Spray
Stops attacks that spray suspicious sequences on the heap
VTable Hijacking
Helps to stop attacks that exploit virtual tables in Adobe Flash Player
Hollow Process
Stops attacks that use legitimate processes to hide hostile code
DLL Hijacking
Gives priority to system libraries for downloaded applications
Application Lockdown
Stops logic-flaw attacks that bypass mitigations
Java Lockdown
Prevents attacks that abuse Java to launch Windows executables
AppLocker Bypass
Prevents regsvr32 from running remote scripts and code
Root Cause Analysis
Understanding the Who, What, When, Where, Why and How
25
Sophos Clean
Malware Removal. Vulnerability Assessment.
Works with existing AV
• Signatureless, on-demand scanner
• Does not need to be installed
• Shows what the others missed
• 30-Day Free License
Removes Threats
• Deep System Inspection
• Removes Malware Remnants
• Full Quarantine / Removal
• Effective Breach Remediation
On-Demand Assessment
• Identifies Risky Files / Processes
• Constantly Refreshed Database
• Provides Additional Confidence
• Command-Line Capable
So that´s it?
- Anti Exploit
- CryptoGuard
- Root Cause Analysis
- Clean
InterceptX
- Anti Malware / HIPS
- Live Protection
- Real time scanning
- Download Reputation
- URL Filtering
AVStandard
- Device Control
- Application Control
- Web Control
- Data Loss Protection
AVAdvanced
- Web Security
- Server Lockdown
- Device Control
- Application Control
- CryptoGuard
ServerAdvanced - Anti Malware
- Live Protection
- AWS integration
- Automatic Exclusions
- Download Reputation
- Thin Agent for VM´s
ServerStandard
- Mobile Content Management
- Secure Workspace container
- Secure Email container
- Mobile Security
- Mobile SDK
- Mobile Device Management
- Mobile App management
- Mobile Email Management
MobileStandardMobileAdvanced
Secure your Endpoints
Single Console1
2
3
4
Easy 30 Day Trial
Easy Conversion
Much to come
Sophos Central
WannaCrypt
Sophos Root Cause Analysis
CryptoGuard
Raging Ransomware Roadshow May

More Related Content

What's hot

DevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat ModellingDevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat ModellingzeroXten
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?Ryan G. Murphy
 
Taking the battle to Ransomware with Sophos Intercept X
Taking the battle to Ransomware with Sophos Intercept XTaking the battle to Ransomware with Sophos Intercept X
Taking the battle to Ransomware with Sophos Intercept XSophos Benelux
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentMarcelo Silva
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...Alexander Leonov
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the CloudAlert Logic
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016rajeshnikam
 
Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101Blue Coat
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCPriyanka Aash
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks
 
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal orePHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal oreAlexander Leonov
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modelingShantanu Mitra
 
CAS MAA Infographic
CAS MAA InfographicCAS MAA Infographic
CAS MAA InfographicBlue Coat
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software developmentBill Ross
 
Advanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle InfographicAdvanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle InfographicBlue Coat
 
Thinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionThinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionDavid Perkins
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionBlue Coat
 

What's hot (20)

DevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat ModellingDevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat Modelling
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?
 
Taking the battle to Ransomware with Sophos Intercept X
Taking the battle to Ransomware with Sophos Intercept XTaking the battle to Ransomware with Sophos Intercept X
Taking the battle to Ransomware with Sophos Intercept X
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
 
Vulnerability Management V0.1
Vulnerability Management V0.1Vulnerability Management V0.1
Vulnerability Management V0.1
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016
 
Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
 
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal orePHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modeling
 
CAS MAA Infographic
CAS MAA InfographicCAS MAA Infographic
CAS MAA Infographic
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
 
Advanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle InfographicAdvanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle Infographic
 
Thinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionThinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and Prevention
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat Protection
 

Similar to Raging Ransomware Roadshow May

Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Benelux
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XSophos Benelux
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security PresentationSimplex
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesNCCOMMS
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
OSB120 Beat Ransomware
OSB120 Beat RansomwareOSB120 Beat Ransomware
OSB120 Beat RansomwareIvanti
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learningBryan Fendley
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Osama Salah
 
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown:Invincea FreeSpace vs EMET 5.0Tech ThrowDown:Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Invincea, Inc.
 
SolPartner_InterceptX.pdf
SolPartner_InterceptX.pdfSolPartner_InterceptX.pdf
SolPartner_InterceptX.pdfssusera76ea9
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
Defending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen SecurityDefending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen SecuritySophos Benelux
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksMicrosoft
 

Similar to Raging Ransomware Roadshow May (20)

Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept X
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri Diogenes
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
OSB120 Beat Ransomware
OSB120 Beat RansomwareOSB120 Beat Ransomware
OSB120 Beat Ransomware
 
FALCON.pptx
FALCON.pptxFALCON.pptx
FALCON.pptx
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learning
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...
 
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown:Invincea FreeSpace vs EMET 5.0Tech ThrowDown:Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
 
SolPartner_InterceptX.pdf
SolPartner_InterceptX.pdfSolPartner_InterceptX.pdf
SolPartner_InterceptX.pdf
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Defending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen SecurityDefending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen Security
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 

More from Sophos Benelux

Cybercrime - Why we're not doomed after all
Cybercrime - Why we're not doomed after allCybercrime - Why we're not doomed after all
Cybercrime - Why we're not doomed after allSophos Benelux
 
Sophos Synchronized security
Sophos Synchronized securitySophos Synchronized security
Sophos Synchronized securitySophos Benelux
 

More from Sophos Benelux (6)

Cybercrime - Why we're not doomed after all
Cybercrime - Why we're not doomed after allCybercrime - Why we're not doomed after all
Cybercrime - Why we're not doomed after all
 
GDPR Webinar - feb
GDPR Webinar - febGDPR Webinar - feb
GDPR Webinar - feb
 
IT Security Landscape
IT Security LandscapeIT Security Landscape
IT Security Landscape
 
This is Next-Gen
This is Next-GenThis is Next-Gen
This is Next-Gen
 
Petya Outbreak
Petya OutbreakPetya Outbreak
Petya Outbreak
 
Sophos Synchronized security
Sophos Synchronized securitySophos Synchronized security
Sophos Synchronized security
 

Recently uploaded

COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 

Recently uploaded (20)

COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 

Raging Ransomware Roadshow May

  • 1. FIGHTING BACK Harm van Koppen DCM May 2017 Jos Overbeeke Sales Engineer
  • 3. Traditional Malware Advanced Threats The Evolution of Security From Anti-Malware to Anti-Exploit Exposure Prevention URL Blocking Web/App/Dev Ctrl Download Rep Pre-Exec Analytics Generic Matching Heuristics Core Rules File Scanning Known Malware Malware Bits Run-Time Behavior Analytics Runtime Behavior Exploit Detection Technique Identification
  • 4. Exploiting Software Vulnerabilities • Exploit Kits o Higher level of effort / cost o No user interaction required o Better chance of success https://blogs.technet.microsoft.com/mmpc/2017/01/23/exploit-kits-remain-a- cybercrime-staple-against-outdated-software-2016-threat-landscape-review-series/ 6435 So far in 2017 NIST National Vulnerability Database https://beta.nvd.nist.gov/vuln-metrics/visualizations/cvss-severity-distribution-over-time Reported Vulnerabilities By Year
  • 5. Exploits in Kits (January 2017)Ransomware Overview Source: https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml#
  • 9. THIRD PARTY Malvertising Threat Chain AD NETWORK RTB
  • 10. No Site Is Immune
  • 11. 11 Anatomy of a ransomware attack
  • 12. Exploits As a Service Initial Request Victims Exploit Kit Customers Redirection Malicious Payloads Stats Landing Page Tor Exploit Kit Admin Exploits Payloads Get Current Domain Get Stats Update payloads Management Panel Malware Distribution Servers Gateway Servers
  • 14. 14 Why these attacks are so successful
  • 15. Why are theseattacks sosuccessful? Professional attack technology • Highly professional approach e.g. usually provides the actual decryption key after payment of the ransom • Skillful social engineering • Hide malicious code in technologies that are permitted in many companies e.g. Microsoft Office macros, JavaScript, VBScript, Flash …
  • 16. Why are theseattacks sosuccessful? Security weaknesses in the affected companies • Inadequate backup strategy • Updates and patches are not implemented swiftly enough • Dangerous user/ rights permissions – more than they need • Lack of user security training • Security systems are not implemented or used correctly • Lack of IT security knowledge • Conflicting priorities: security vs productivity concerns
  • 18. ENDPOINT Backup Patch Early, Patch Often PowerShell, macros, wscript, js, hta Group policy controls Redirect to notepad Show file extensions – myfile.pdf.js Remove excess apps & permissions Review Endpoint Protection Policies Execution
  • 19. • Education, Education, Education o Sophos Phish Threat o Use real world samples o Make it fun o Every click is an opportunity to learn • Make it easy to report phishing • Look for risky behaviour SECURE THE USER
  • 21. 21
  • 22. Introducing Sophos Intercept X ADVANCED MALWARE ZERO DAY EXPLOITS LIMITED VISIBILITY Anti-Exploit Prevent Exploit Techniques • Signatureless Exploit Prevention • Protects Patient-Zero / Zero-Day • Blocks Memory-Resident Attacks • Tiny Footprint & Low False Positives No User/Performance Impact No File Scanning No Signatures Automated Incident Response • IT Friendly Incident Response • Process Threat Chain Visualization • Prescriptive Remediation Guidance • Advanced Malware Clean Root-Cause Analysis Faster Incident Response Root-Cause Visualization Forensic Strength Clean Detect Next-Gen Threats • Stops Malicious Encryption • Behavior Based Conviction • Automatically Reverts Affected Files • Identifies source of Attack Anti-Ransomware Prevent Ransomware Attacks Roll-Back Changes Attack Chain Analysis
  • 23. Heap Spray Use after Free Stack Pivot ROP Call OS function PREPARATION • Most exploit-based attacks consist of 2 or more techniques • Exploit techniques do not change and are mandatory to exploit existing and future software vulnerabilities The Memory Drop Sailing past file scanning AV TRIGGERING GAIN CONTROL CIRCUMVENT (DEP) POST PAYLOAD DROP Memory Corruption In-Memory On Disk Ransomware Activity Antivirus
  • 24. Intercepting Exploit Techniques (Overview) Stack Pivot Stops abuse of the stack pointer Stack Exec Stops attacker’ code on the stack Stack-based ROP Mitigations Stops standard Return-Oriented Programming attacks Branch-based ROP Mitigations (Hardware Assisted) Stops advanced Return-Oriented Programming attacks Import Address Table Filtering (IAF) (Hardware Assisted) Stops attackers that lookup API addresses in the IAT SEHOP Protects against overwriting of the structured exception handler Load Library Prevents loading of libraries from UNC paths Reflective DLL Injection Prevents loading of a library from memory into a host process Shellcode Stops code execution in the presence of exploit shellcode VBScript God Mode Prevents abuse of VBScript in IE to execute malicious code WoW64 Stops attacks that address 64-bit function from WoW64 (32-bit) process Syscall Stops attackers that attempt to bypass security hooks Enforce Data Execution Prevention (DEP) Prevents abuse of buffer overflows Mandatory Address Space Layout Randomization (ASLR) Prevents predictable code locations Bottom Up ASLR Improved code location randomization Null Page (Null Dereference Protection) Stops exploits that jump via page 0 Heap Spray Allocation Pre-allocated common memory areas to block example attacks Dynamic Heap Spray Stops attacks that spray suspicious sequences on the heap VTable Hijacking Helps to stop attacks that exploit virtual tables in Adobe Flash Player Hollow Process Stops attacks that use legitimate processes to hide hostile code DLL Hijacking Gives priority to system libraries for downloaded applications Application Lockdown Stops logic-flaw attacks that bypass mitigations Java Lockdown Prevents attacks that abuse Java to launch Windows executables AppLocker Bypass Prevents regsvr32 from running remote scripts and code
  • 25. Root Cause Analysis Understanding the Who, What, When, Where, Why and How 25
  • 26. Sophos Clean Malware Removal. Vulnerability Assessment. Works with existing AV • Signatureless, on-demand scanner • Does not need to be installed • Shows what the others missed • 30-Day Free License Removes Threats • Deep System Inspection • Removes Malware Remnants • Full Quarantine / Removal • Effective Breach Remediation On-Demand Assessment • Identifies Risky Files / Processes • Constantly Refreshed Database • Provides Additional Confidence • Command-Line Capable
  • 28. - Anti Exploit - CryptoGuard - Root Cause Analysis - Clean InterceptX - Anti Malware / HIPS - Live Protection - Real time scanning - Download Reputation - URL Filtering AVStandard - Device Control - Application Control - Web Control - Data Loss Protection AVAdvanced - Web Security - Server Lockdown - Device Control - Application Control - CryptoGuard ServerAdvanced - Anti Malware - Live Protection - AWS integration - Automatic Exclusions - Download Reputation - Thin Agent for VM´s ServerStandard - Mobile Content Management - Secure Workspace container - Secure Email container - Mobile Security - Mobile SDK - Mobile Device Management - Mobile App management - Mobile Email Management MobileStandardMobileAdvanced Secure your Endpoints
  • 29. Single Console1 2 3 4 Easy 30 Day Trial Easy Conversion Much to come Sophos Central
  • 31. Sophos Root Cause Analysis

Editor's Notes

  1. Goal: Help you make the most of an opportunity right now – ransomware is a horrible thing but it presents you with a fantastic opportunity that we see some of our partners making the most of right now. We want to help you to position yourself as knowledgeable on ransomware with your customers and act as a trusted advisor on what they can do to better protect themselves from the threat of ransomware. We are going to do that by examining a few news stories to work out how it typically gets in then, look at what it does and why it is soo good at evading your AV And most importantly, what can you do about it to help your customers….. and if time allows, we are going to ask Russ to completely hose his machine with ransomware so you can see this running real-time
  2. Like threats, security had to evolve File scan, Heuristics, Limit Surface (Prevent) Good, but reactive, focus history, known, defense Move to proactive, unk, offense Why? The move to hacking What if legit creds, apps, systems…
  3. RTB (Real Time Bidding) You won a gift certificate Vorige Week Spotify free, malware via advertenties. According to Fox-IT Security Operations Center, at least 288 websites were affected, and it is believed that a compromised ad network was responsible for so many sites being affected simultaneously. A lot of the popular news site in The Netherlands were hit… nu.nl marktplaats.nl sbs6.nl rtlnieuws.nl rtlz.nl startpagina.nl buienradar.nl Angler was used in this case
  4. Sophisticated/Coordinated Targets – 25-50, IT, Mumbail India – Banking, IT (Bangalore)
  5. Satan – you heard about this in the threat landscape session with chet and john…..we must not forget the business that is behind ransomware, this is how easy it is for me to get my own flavour of ransomware…..it only costs me 30% of my ransom
  6. They act like a normally company, have faqs, support and usully provide the decryption key after the payment. Using social engineering And hide the code in program/document that many companies uses every day Like macros, javascripts.
  7. Ransomware attacks can bring a business to a screeching halt within seconds, yet many organizations don’t have proper protocol in place to deal with outbreaks. As such, getting out from under ransomware can take weeks. As a trusted advisor you can help build that. What would it take to recover? What does the backup and recovery strategy look like? How acceptable is data loss? How long would it take to get each machine up and running? How many can we do in parallel? What does that recovery cost look like? Often this will be a tweak on an existing cyber security plan – but factor in risks & cost of data loss, downtime
  8. Stopping the attack pre-execution of the malicious payload.
  9. Another way to describe a Return Oriented Programming attack is:   Imagine RAM is a book. If you and I both run Firefox on our computers, we both have a chapter for Firefox. Those chapters will be almost identical (apart from all the parts about the tabs / websites we have open). If I study the chapter on my computer, I can see that if I pick this word, and this word, and this word, and string them together, I can build a malicious sentence - instructions to launch an attack. So even though I don’t bring any malicious code on to the computer I want to attack, I can build the malicious code in memory, thanks to the instructions already there.
  10. Sophos Clean is a signatureless, on-demand malware scanner that's just 11 MB and does not need to be installed. You can run it from a USB flash drive, a cd/dvd, or from network attached storage, which is nice if malware is manipulating the installed antivirus software and its updates.