Embed Size (px)
Citation preview
This Is Next-Gen IT Security
Mark LomanDirector of Engineering Next-Gen Technologies
Melissa Virus
1999
$1.2B
Love LetterWorm
$15B
1998
Zeus Trojan
$2.3B
2007
JSocket RATs
$800M
2014
LockyRansomware
$1.1B
2016
FinFischerSpyware
2003
$780M
Exploit as aService
$500M
2015
Traditional Malware Advanced Threats
The Evolution of ThreatsFrom Malware to Exploits
Traditional Malware Advanced Threats
The Evolution of SecurityFrom Anti-Malware to Anti-Exploit
Exposure Prevention
URL BlockingWeb/App/Dev Ctrl
Download Rep
Pre-Exec Analytics
Generic MatchingHeuristicsCore Rules
File Scanning
Known MalwareMalware Bits
TrojanSpywareVirus Worm
Run-Time
Behavior AnalyticsRuntime Behavior
Exploit Detection
Technique Identification
RATs RansomwareExploit Kits
Threat Landscape 2016
THIRD PARTY
Malvertising Threat Chain
AD NETWORK
RTB
No Site Is Immune
Exploits As a ServiceInitial Request
Victims
Exploit Kit Customers Redirection
MaliciousPayloads
Stats
Landing Page
Tor
Exploit Kit Admin
Exploits
Payloads
Get Current Domain
Get Stats
Update payloads
Management Panel Malware DistributionServers
Gateway Servers
Ransomware
Ransomware Evolves
Known to Unknown75% of malware inside an organization is unique to that organization
Evolutionary Threat Trends
Large to Small Business70% of all organizations reported a compromise in the last 12 months.
Simple to IndustrializedAs Malware-as-a-Service platforms evolve, payloads are being monetized on the Dark Web with the same market pressures we see govern any industry
Volume to TargetedExploit kits cause over 90% of all data breaches
Malware to Hacking63% of data breaches involve stolen credentials
Everyone to WeakestAverage time to fix vulnerabilities is 193 days
Threats Targets
(Source: Sophos Labs)
(Source: NSS Labs)
(Source: WhiteHat Security)(Source: Verizon DBIR)
(Source: Sophos Labs)
(Source: FBI / InfoSec London)
Anatomy of an Advanced Attack
Introducing
Introducing Sophos Intercept X
ADVANCEDMALWARE
ZERO DAYEXPLOITS
LIMITEDVISIBILITY
Anti-Exploit
Prevent Exploit Techniques• Signatureless Exploit Prevention• Protects Patient-Zero / Zero-Day• Blocks Memory-Resident Attacks• Tiny Footprint & Low False Positives
No User/Performance ImpactNo File Scanning
No Signatures
Automated Incident Response• IT Friendly Incident Response• Process Threat Chain Visualization• Prescriptive Remediation Guidance• Advanced Malware Clean
Root-Cause Analysis
Faster Incident ResponseRoot-Cause VisualizationForensic Strength Clean
Detect Next-Gen Threats• Stops Malicious Encryption• Behavior Based Conviction• Automatically Reverts Affected Files• Identifies source of Attack
Anti-Ransomware
Prevent Ransomware AttacksRoll-Back Changes
Attack Chain Analysis
Intercepting ExploitsVulnerabilities vs Exploits vs Exploit Techniques
time
tota
l cou
nt
vulnerabilities
public exploits
exploittechniques
Prior knowledge of public attacks(signatures / behaviors)
Patching
1,000s/yr
100s/yr
10s
Intercepting ExploitsVulnerabilities vs Exploits vs Exploit Techniques
time
tota
l cou
nt
vulnerabilities
public exploits
exploittechniques
Prior knowledge of public attacks(signatures / behaviors)
Patching
1,000s/yr
100s/yr
10s
100,000,000+new malware each year
Heap Spray Use after Free Stack Pivot ROP Call OS
functionRansomware
activity
PREPARATION TRIGGERING GAIN CONTROL CIRCUMVENT(DEP)
POST
Exploit TechniquesAntivirus
Sophos Intercept X
• Most exploit-based attacks consist of 2 or more exploit techniques• Exploit techniques do not change and are mandatory to exploit existing and future
software vulnerabilities
Intercepting ExploitsBlocking Exploit Techniques vs Antivirus
Example Code Execution Flow
time
01101101 01110010 00101110 00100000 01110010 01101111 01100010 01101111 01110100 00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101
System DLL
User Space
Kernel
Processor
System callAPI call
01101101 01110010 00101110 00100000 01110010 01101111 01100010 01101111 01110100 00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101
time
User Space
System DLL
Kernel
Processor
Check File on Disk (signature check) when Process is createdNo attention to machine code that called CreateProcess
System call (e.g. CreateProcess)API call
On Execute File ScanningAntivirus
01101101 01110010 00101110 00100000 01110010 01101111 01100010 01101111 01110100 00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101
timeDuring ROP attacks, stack contains no reliable dataAttacker has control over steps (stack), can manipulate defender
System DLL
User Space
Kernel
Processor
System callAPI call (VirtualProtect)
Stack-based ROP Mitigations Microsoft EMET
01101101 01110010 00101110 00100000 01110010 01101111 01100010 01101111 01110100 00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101
System DLL
User Space
Kernel
Processor
VirtualProtect
timeSoftware Stack and Hardware-traced Branch Analysis (manipulation resistant)Leverages and repurposes a previously unused feature in mainstream Intel® processors
CreateProcess
Branch-based ROP Mitigations (Hardware Assisted)Sophos Intercept X
Intercepting Exploit Techniques (Overview)Stack PivotStops abuse of the stack pointerStack ExecStops attacker’ code on the stackStack-based ROP MitigationsStops standard Return-Oriented Programming attacksBranch-based ROP Mitigations (Hardware Assisted)Stops advanced Return-Oriented Programming attacksImport Address Table Filtering (IAF) (Hardware Assisted)Stops attackers that lookup API addresses in the IATSEHOPProtects against overwriting of the structured exception handlerLoad LibraryPrevents loading of libraries from UNC pathsReflective DLL InjectionPrevents loading of a library from memory into a host processShellcodeStops code execution in the presence of exploit shellcodeVBScript God ModePrevents abuse of VBScript in IE to execute malicious codeWoW64Stops attacks that address 64-bit function from WoW64 (32-bit) processSyscallStops attackers that attempt to bypass security hooks
Enforce Data Execution Prevention (DEP)Prevents abuse of buffer overflowsMandatory Address Space Layout Randomization (ASLR)Prevents predictable code locationsBottom Up ASLRImproved code location randomizationNull Page (Null Dereference Protection)Stops exploits that jump via page 0Heap Spray AllocationPre-allocated common memory areas to block example attacksDynamic Heap SprayStops attacks that spray suspicious sequences on the heapVTable HijackingHelps to stop attacks that exploit virtual tables in Adobe Flash PlayerHollow ProcessStops attacks that use legitimate processes to hide hostile codeDLL HijackingGives priority to system libraries for downloaded applicationsApplication LockdownStops logic-flaw attacks that bypass mitigationsJava LockdownPrevents attacks that abuse Java to launch Windows executablesAppLocker BypassPrevents regsvr32 from running remote scripts and code
Intercepting Ransomware
Monitor File Access• If suspicious file
changes are detected, file copies are created
Attack Detected• Malicious process is
stopped and we investigate the process history
Rollback Initiated• Original files restored• Malicious files removed
Forensic Visibility• User message• Admin alert• Root cause analysis
details available
Root Cause AnalyticsUnderstanding the Who, What, When, Where, Why and How
23
Sophos CleanMalware Removal. Vulnerability Assessment.
Works with existing AV• Signatureless, on-demand scanner • Does not need to be installed• Shows what the others missed• 30-Day Free License
Removes Threats• Deep System Inspection• Removes Malware Remnants• Full Quarantine / Removal• Effective Breach Remediation
On-Demand Assessment• Identifies Risky Files / Processes• Constantly Refreshed Database• Provides Additional Confidence• Command-Line Capable
Cloud IntelligenceAnalytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions
Sophos Labs | 24x7x365, multi-continent operation | URL Database | Malware Identities | File Look-up | Genotypes | Reputation | Behavioural Rules | APT Rules Apps | Anti-Spam | Data Control | SophosID | Patches | Vulnerabilities | Sandboxing | API Everywhere
UTM/Next-Gen Firewall
Admin Self Service Partner| Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations
Wireless
Web
Synchronized Encryption
Endpoint/Next-Gen Endpoint
Mobile
Server
Encryption
Sophos CentralIn Cloud On Prem
Synchronized Encryption
Synchronized Encryption: A New Paradigm in Data Protection
User Integrity App Integrity System Integrity
Encrypt Everything, Everywhere, Automatically
Synchronized with Endpoint Protection
“By 2019, 25% of security spend will be driven by EU data protection regulation
and privacy concerns.” - IDC
Intercepting Threats withSynchronized Security
Demo
Synchronized Security
Sophos Central
Cloud Intelligence
Sophos Labs
Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions
| 24x7x365, multi-continent operation | URL Database | Malware Identities | File Look-up | Genotypes | Reputation | Behavioural Rules | APT Rules Apps | Anti-Spam | Data Control | SophosID | Patches | Vulnerabilities | Sandboxing | API Everywhere
Admin Self Service Partner| Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations
Endpoint/Next-Gen Endpoint
Mobile
Server
Encryption
UTM/Next-Gen Firewall
Wireless
Web
In Cloud On Prem
