copyright 2016, symantec corporation · pdf filetitle: title slide with name author: the...

Copyright 2016, Symantec Corporation

#1 IoT devices are less secure than a 2004 era XP machine

• 2004, XP, unpatched Today, Linux, unpatched

No update mechanism

Password is hardcoded, non-existent or well known

2


The Business Email Compromise (BEC) Scam

7


An employee in Finance Receives an email requesting a WIRE TRANSFER

Dear Sonia, Please wire money to this account 34xx-xxxx-0xx. Your CEO

The Business Email Compromise (BEC) Scam

11


#2 Nigerian Princes Never Go Away

12

They Evolve


Top Countries of Origin of BEC Scams

13


#3 Most Scams Evolve


#4 Your End-Users Are Calling This Number

@threatintel | www.symantec.com

#RANSOMWARE #TECHSUPPORTSCAM


@threatintel | www.symantec.com

#RANSOMWARE #TECHSUPPORTSCAM

16 Million

100 MILLION BLOCKED in 2015


o Credit Cards with CVV2:

o Credit Cards with Full Detail:

o Physical Credit Card including PIN:

o IDs with SSN, DOB, and Name:

$1.00 to $20.00

$30.00 to $40.00

$63.50 to $250.00

$0.10 to $2.00

THE BLACK MARKET


#5 You May Not Know What the Value of Your Data Is, But Attackers Do

18


o Netflix Account

o Airline Frequent Flyer >10k

o Hotel Loyalty Rewards

o Uber Account

$0.25

$26

$ 20

$0.05 to $1.00

THE BLACK MARKET


1% of

430,555,582 = 4,305,555

20

#6


How are they getting in?

21

Vectors

• Other malware • Brute-force attacks • Server-side vulnerabilities • Worm techniques • SMS messages and app

stores (Android)


2006

14

2007 2008 2009 2010 2011 2012 0

2

4

6

8

10

12

14

16

13

15

9

12

14

8

Zero-Day Vulnerabilities

2013 2014

24 23

2015

54

2016 Internet Security Threat Report Volume 21 23


Zero-Day Vulnerability Lifecycle

24

Zero-Day Public – No Patch Patch Available

About 365 days Avg. 1 day Maybe Never


Adobe Releases Out-of-Band Patch For Flash Vulnerability

• On June 23, Adobe released an out-of-band patch for a critical zero day vulnerability, designated CVE-2015-3113

25

Zero-Day Public – No Patch Patch Available

Exploit Kit

Magnitude

Angler

Nuclear

RIG

Neutrino

1 2 3 4 5 6 7 8…...


Top 5 most Frequently Exploited Zero-Day Vulnerabilities in 2015

26

Rank Name 2015 Percentage

1 Adobe Flash Player CVE-2015-0313 81%



4 Heap-Based Buffer Overflow aka ‘Ghost’ CVE-2015-0235

<1%

5 Adobe Flash Player CVE-2015-3113 <1%


#7


#8 Do Your Fellow Man a Favor and Patch Your Website

28

Exploit Kit Popular Website

Downloader

15% of Legitimate Websites

Have Critical Vulnerabilities Unpatched

#8.5 Patch Browser & Browser Plug-in Vulnerabilities


#9 Patch Flash!

29


How are they getting in?

30

Vectors


stores (Android)


#10 Don’t Let Defenses Down at Mail Server

31

1 in 152 emails is

Malicious Symantec ISTR August 2016


#11 If You Can Only Train Your End-Users on One Thing…

32

Symantec sees up to

10M of these a week


#11.5 If You Can Only Train Your End-Users on One Thing…


#11.5 If You Can Only Train Your –Self on One Thing…

• Block these file extensions at the Mail Gateway – .js

– .jse

– .vbs

– .vbe

– .iso

– .hta

– .wsf

• End-Users and Desktop Security is the last line of defense from these threats.

• See: http://www.symantec.com/connect/articles/support-perspective-w97mdownloader-battle-plan

34


Ransomware Growth Factors

• High Profitability

• Effective Infection Vectors

• Easy Access to Encryption

• Low Barrier to Entry

35


Ransomware Families

100 new families identified in 2015 compared to 77 in 2014


#12 Ransomware is Easy


#12 Ransomware is Easy

38


#13 Most Ransomware Does Not Care Who it Infects

39

Consumers 57%

Organizations 43%


How is Ransomware Getting in?

40

Vectors


stores (Android)

#14 There is nothing special about how ransomware gets on machines


Ransomware Attack Chain

41

1. Malware Delivery

2. Malware installed 3. Call C&C Server

4. Encryption


Ransomware Attack Chain - Variations

• Different ransom amounts

• Delete or infect backup

• Target specific user files or all user files

• Download additional threats

• Propagate onto servers, USBs, cloud

42

Copyright © 2015 Symantec Corporation

1. Malware Delivery


4. Encryption


#15 If There Is An Attack Chain There Is A Kill Chain

43

1. Malware Delivery


4. Encryption

Gateway Mail server

AVE, IPS, Download Insight

IPS

SONAR, ADC


Protection Against Ransomware

• Install, configure and maintain an endpoint security solution

• User Education

• Employ content scanning and filtering on your mail servers

• Maintain a current patch level for any operating systems and applications that have known vulnerabilities

• Limit end user access to mapped drives – make read only and password protect

• Deploy and maintain a comprehensive backup solution

– Make sure backup is not writeable by network workstations or servers

44


If You Get Infected

• Isolate the infected computer before the ransomware can attack network drives to which it has access

• Clean the machine

• Restore damaged files from a known good backup

• And…

45


If You Get Infected

#16 Do not pay the ransom

46


#17 Willingness To Pay Is Driving Up The Cost Of The Ransom

47

$294.14

$679.65

$0.00

$100.00

$200.00

$300.00

$400.00

$500.00

$600.00

$700.00

$800.00

2014 2015


#18 Paying The Ransom Puts a Notch on Your Gate

48


Ransomware Attack Chain

49

1. Malware Delivery


4. Encryption


#19 Paying The Ransom Puts a Notch on Your Industry’s Gate

50


#20 This Too Shall Pass

53

copyright 2016, symantec corporation · pdf filetitle: title slide with name author: the...

Documents