![Page 1: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/1.jpg)
Threat Landscape
John Shier Sr. Security Advisor @john_shier
November 2016
![Page 2: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/2.jpg)
![Page 3: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/3.jpg)
Top detections: Benelux
3
Infected archiveJS downloader/trojanConfickerJS downloader/emailActiveX/IE vulnVBS downloaderLNK/AutoIT wormPhishingGenericVBS LNK/JenxcusLNK/BundpilCallhome
![Page 4: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/4.jpg)
What are we facing?
4
![Page 5: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/5.jpg)
Phishing
![Page 6: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/6.jpg)
How not to phish
6
![Page 7: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/7.jpg)
How not to phish
7
http://[IP ADDRESS]/fcid/6a6f686e2e736869657240736f70686f732e636f6d/
![Page 8: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/8.jpg)
Modern phishing
8
![Page 9: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/9.jpg)
Modern phishing
9
![Page 10: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/10.jpg)
Modern phishing
10
![Page 11: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/11.jpg)
Modern phishing
11
![Page 12: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/12.jpg)
Modern phishing
12
![Page 13: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/13.jpg)
Modern phishing
13
![Page 14: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/14.jpg)
HD phishing
14
![Page 15: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/15.jpg)
Locally targeted
15
![Page 16: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/16.jpg)
Malvertising
![Page 17: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/17.jpg)
![Page 18: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/18.jpg)
RTB Ad network Third party
Malvertising threat chain
![Page 19: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/19.jpg)
No site is immune
19
![Page 20: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/20.jpg)
Exploit kits
20
![Page 21: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/21.jpg)
A decade of misery
21
2006 2013 2016
![Page 22: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/22.jpg)
Exploits as a Service
22
Initial Request
Victims
Exploit Kit Customers Redirection
Malicious Payloads
Stats
Landing Page
Exploits
Payloads
Get Current Domain
Get Stats
Update payloads
Management Panel Malware Distribution Servers
Gateway Servers
VPN
Exploit Kit Admin Spammer/Malvertiser Exploit merchant
Ransomware author
![Page 23: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/23.jpg)
EK prominence – October 2016
23
RIG
Nuclear
Chinese EK
Da Gong/Gondad
Angler
Fiesta
Neutrino v2
Other
![Page 24: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/24.jpg)
Mirai
![Page 25: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/25.jpg)
What we know, by the numbers
•550,000 compromised devices
•9 different architectures
•Attacking tcp/23,2323
•80% are DVRs
•24% overlap w ith ‘ gafgyt’
•10% attacked Dyn
•10/1/2016 source code released
25
![Page 26: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/26.jpg)
Mirai infrastructure
26
src: http://blog.level3.com/security/grinch-stole-iot/
![Page 27: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/27.jpg)
scanner.c
27
![Page 28: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/28.jpg)
attack.go, attack.h
28
![Page 29: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/29.jpg)
Use the (brute) force
29
![Page 30: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/30.jpg)
Who’s to blame?
src: https://krebsonsecurity.com/wp-content/uploads/2016/10/iotbadpass-pdf.png
30
![Page 31: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/31.jpg)
31
src: http://www.geekculture.com/joyoftech/joyarchives/1947.html
![Page 32: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/32.jpg)
Document malware
32
![Page 33: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/33.jpg)
Why does document malware work?
33
•Out of the spotlight
•Familiarity and trust
•Email as file transfer protocol
•Patching failure
•Call to action
![Page 34: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/34.jpg)
Curiosity infected the cat
34
![Page 35: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/35.jpg)
Build Your Own
35
![Page 36: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/36.jpg)
How to protect against document malware?
36
•Email filtering
•Sandbox
•Cloud services
•Document viewers
•Share files differently
![Page 37: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/37.jpg)
Data stealing malware
37
![Page 38: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/38.jpg)
Why does data stealing malware work?
38
•Multiple security failures
•Needs a human actor
•Poor network segregation
•Over privileged users
•Poor outbound filtering
•Unknown baseline
![Page 39: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/39.jpg)
How does data stealing malware work?
39
![Page 40: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/40.jpg)
Target(ed) exfiltration
40
![Page 41: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/41.jpg)
How to protect against data stealing malware?
41
•Multiple security failures
•Needs a human actor
•Poor network segregation
•Over privileged users
•Poor outbound filtering
•Unknown baseline
![Page 42: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/42.jpg)
Ransomware
42
![Page 43: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/43.jpg)
Why does ransomware work?
43
•Complex threat chain
•Social Engineering
•No need for persistence
•Uses existing tools
•Geographically targeted, locally customized
•It ’s your data
![Page 44: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/44.jpg)
Locky/Zepto/Odin
44
![Page 45: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/45.jpg)
Locky/Zepto/Odin
45
![Page 46: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/46.jpg)
CryptoWall 4.0
46
![Page 47: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/47.jpg)
Zcrypt
47
![Page 48: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/48.jpg)
Stampado/Philadelphia
48
![Page 49: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/49.jpg)
49
![Page 50: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/50.jpg)
Ransomware Bitcoin
50
•Convenient
•Anonymous
•Laundered
•Openly criminal
![Page 51: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/51.jpg)
6 tips for preventing ransomware
51
1. Back up your files regularly and keep them offline
2. Don’t enable m acros in em ailed docs
3. Tell Windows to show file extensions
4. Don’t open script or shortcut files sent by em ail
5. Don’t give yourself m ore login power than necessary
6. Patch early, patch often
![Page 52: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/52.jpg)
52
![Page 53: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/53.jpg)
Users
53
![Page 54: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/54.jpg)
It ’s n o t a ll b a d n e w s
54
•Social engineering works
•People like to help
•Stop worrying about the Nigerians
•OSINT
•Training isn’t the only answ er
•Create a security culture
•Use your remote sensors
![Page 55: Sophos Day Belgium - The IT Threat Landscape and what to look out for](https://reader030.vdocuments.net/reader030/viewer/2022021506/5877430b1a28ab342e8b7443/html5/thumbnails/55.jpg)