Bekijk hoe een aanval in zijn werk gaat, hoe je je collega’s en klanten meer bewust maakt van de gevaren van ransomware en misschien wel het belangrijkste; hoe je jezelf kunt beschermen met gebruik van Sophos Intercept X.
3. Traditional Malware Advanced Threats
The Evolution of Security
From Anti-Malware to Anti-Exploit
Exposure
Prevention
URL Blocking
Web/App/Dev Ctrl
Download Rep
Pre-Exec
Analytics
Generic Matching
Heuristics
Core Rules
File
Scanning
Known Malware
Malware Bits
Run-Time
Behavior Analytics
Runtime Behavior
Exploit
Detection
Technique
Identification
4. Exploiting Software Vulnerabilities
• Exploit Kits
o Higher level of effort / cost
o No user interaction required
o Better chance of success
https://blogs.technet.microsoft.com/mmpc/2017/01/23/exploit-kits-remain-a-
cybercrime-staple-against-outdated-software-2016-threat-landscape-review-series/
6435
So far in 2017
NIST National Vulnerability Database
https://beta.nvd.nist.gov/vuln-metrics/visualizations/cvss-severity-distribution-over-time
Reported Vulnerabilities By Year
5. Exploits in Kits (January 2017)Ransomware
Overview
Source: https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml#
12. Exploits As a Service
Initial Request
Victims
Exploit Kit Customers Redirection
Malicious
Payloads
Stats
Landing Page
Tor
Exploit Kit Admin
Exploits
Payloads
Get Current Domain
Get Stats
Update payloads
Management Panel Malware Distribution
Servers
Gateway Servers
15. Why are theseattacks sosuccessful?
Professional attack technology
• Highly professional approach e.g. usually provides the actual decryption
key after payment of the ransom
• Skillful social engineering
• Hide malicious code in technologies that are permitted in many companies
e.g. Microsoft Office macros, JavaScript, VBScript, Flash …
16. Why are theseattacks sosuccessful?
Security weaknesses in the affected companies
• Inadequate backup strategy
• Updates and patches are not implemented swiftly enough
• Dangerous user/ rights permissions – more than they need
• Lack of user security training
• Security systems are not implemented or used correctly
• Lack of IT security knowledge
• Conflicting priorities: security vs productivity concerns
18. ENDPOINT
Backup
Patch Early, Patch Often
PowerShell, macros, wscript, js, hta
Group policy controls
Redirect to notepad
Show file extensions – myfile.pdf.js
Remove excess apps & permissions
Review Endpoint Protection Policies
Execution
19. • Education, Education, Education
o Sophos Phish Threat
o Use real world samples
o Make it fun
o Every click is an opportunity to learn
• Make it easy to report phishing
• Look for risky behaviour
SECURE THE USER
23. Heap Spray Use after Free Stack Pivot ROP
Call OS
function
PREPARATION
• Most exploit-based attacks consist of 2 or more techniques
• Exploit techniques do not change and are mandatory to exploit existing and
future software vulnerabilities
The Memory Drop
Sailing past file scanning AV
TRIGGERING GAIN CONTROL
CIRCUMVENT
(DEP) POST PAYLOAD DROP
Memory
Corruption
In-Memory
On Disk
Ransomware
Activity
Antivirus
24. Intercepting Exploit Techniques (Overview)
Stack Pivot
Stops abuse of the stack pointer
Stack Exec
Stops attacker’ code on the stack
Stack-based ROP Mitigations
Stops standard Return-Oriented Programming attacks
Branch-based ROP Mitigations (Hardware Assisted)
Stops advanced Return-Oriented Programming attacks
Import Address Table Filtering (IAF) (Hardware Assisted)
Stops attackers that lookup API addresses in the IAT
SEHOP
Protects against overwriting of the structured exception handler
Load Library
Prevents loading of libraries from UNC paths
Reflective DLL Injection
Prevents loading of a library from memory into a host process
Shellcode
Stops code execution in the presence of exploit shellcode
VBScript God Mode
Prevents abuse of VBScript in IE to execute malicious code
WoW64
Stops attacks that address 64-bit function from WoW64 (32-bit) process
Syscall
Stops attackers that attempt to bypass security hooks
Enforce Data Execution Prevention (DEP)
Prevents abuse of buffer overflows
Mandatory Address Space Layout Randomization (ASLR)
Prevents predictable code locations
Bottom Up ASLR
Improved code location randomization
Null Page (Null Dereference Protection)
Stops exploits that jump via page 0
Heap Spray Allocation
Pre-allocated common memory areas to block example attacks
Dynamic Heap Spray
Stops attacks that spray suspicious sequences on the heap
VTable Hijacking
Helps to stop attacks that exploit virtual tables in Adobe Flash Player
Hollow Process
Stops attacks that use legitimate processes to hide hostile code
DLL Hijacking
Gives priority to system libraries for downloaded applications
Application Lockdown
Stops logic-flaw attacks that bypass mitigations
Java Lockdown
Prevents attacks that abuse Java to launch Windows executables
AppLocker Bypass
Prevents regsvr32 from running remote scripts and code
28. - Anti Exploit
- CryptoGuard
- Root Cause Analysis
- Clean
InterceptX
- Anti Malware / HIPS
- Live Protection
- Real time scanning
- Download Reputation
- URL Filtering
AVStandard
- Device Control
- Application Control
- Web Control
- Data Loss Protection
AVAdvanced
- Web Security
- Server Lockdown
- Device Control
- Application Control
- CryptoGuard
ServerAdvanced - Anti Malware
- Live Protection
- AWS integration
- Automatic Exclusions
- Download Reputation
- Thin Agent for VM´s
ServerStandard
- Mobile Content Management
- Secure Workspace container
- Secure Email container
- Mobile Security
- Mobile SDK
- Mobile Device Management
- Mobile App management
- Mobile Email Management
MobileStandardMobileAdvanced
Secure your Endpoints
Goal: Help you make the most of an opportunity right now –
ransomware is a horrible thing but it presents you with a fantastic opportunity that we see some of our partners making the most of right now. We want to help you to position yourself as knowledgeable on ransomware with your customers and act as a trusted advisor on what they can do to better protect themselves from the threat of ransomware.
We are going to do that by examining a few news stories to work out how it typically gets in then, look at what it does and why it is soo good at evading your AV
And most importantly, what can you do about it to help your customers…..
and if time allows, we are going to ask Russ to completely hose his machine with ransomware so you can see this running real-time
Like threats, security had to evolve
File scan, Heuristics, Limit Surface (Prevent)
Good, but reactive, focus history, known, defense
Move to proactive, unk, offense
Why? The move to hacking
What if legit creds, apps, systems…
RTB (Real Time Bidding)
You won a gift certificate
Vorige Week Spotify free, malware via advertenties.
According to Fox-IT Security Operations Center, at least 288 websites were affected,
and it is believed that a compromised ad network was responsible for so many sites being affected simultaneously.
A lot of the popular news site in The Netherlands were hit…
nu.nl
marktplaats.nl
sbs6.nl
rtlnieuws.nl
rtlz.nl
startpagina.nl
buienradar.nl
Angler was used in this case
Sophisticated/Coordinated
Targets – 25-50, IT, Mumbail
India – Banking, IT (Bangalore)
Satan – you heard about this in the threat landscape session with chet and john…..we must not forget the business that is behind ransomware, this is how easy it is for me to get my own flavour of ransomware…..it only costs me 30% of my ransom
They act like a normally company, have faqs, support and usully provide the decryption key after the payment.
Using social engineering
And hide the code in program/document that many companies uses every day
Like macros, javascripts.
Ransomware attacks can bring a business to a screeching halt within seconds, yet many organizations don’t have proper protocol in place to deal with outbreaks. As such, getting out from under ransomware can take weeks.
As a trusted advisor you can help build that.
What would it take to recover?
What does the backup and recovery strategy look like?
How acceptable is data loss?
How long would it take to get each machine up and running? How many can we do in parallel?
What does that recovery cost look like?
Often this will be a tweak on an existing cyber security plan – but factor in risks & cost of data loss, downtime
Stopping the attack pre-execution of the malicious payload.
Another way to describe a Return Oriented Programming attack is:
Imagine RAM is a book. If you and I both run Firefox on our computers, we both have a chapter for Firefox. Those chapters will be almost identical (apart from all the parts about the tabs / websites we have open). If I study the chapter on my computer, I can see that if I pick this word, and this word, and this word, and string them together, I can build a malicious sentence - instructions to launch an attack. So even though I don’t bring any malicious code on to the computer I want to attack, I can build the malicious code in memory, thanks to the instructions already there.
Sophos Clean is a signatureless, on-demand malware scanner that's just 11 MB and does not need to be installed. You can run it from a USB flash drive, a cd/dvd, or from network attached storage, which is nice if malware is manipulating the installed antivirus software and its updates.