intercept x is sophos answer to ransomware
TRANSCRIPT
InterceptXisSophosanswertoransomware
JoannaWziątek-ŁadoszSalesEngineer,Sophos
You’rebeinghacked…..
1983199519992001201020112015
“TRUTH IS STRANGER THAN FICTION”
3
MelissaVirus
1998
$1.2B
LoveLetterWorm
$15B
1999
$2.3B
2007
$800M
2014
LockyRansomware
$1.1B
2016
FinFischerSpyware
2003
$780M
ExploitasaService
$500M
2015
TRADITIONAL MALWARE ADVANCED THREATS
TheEvolutionofEndpointThreatsFromMalwaretoExploits
TRADITIONAL MALWARE ADVANCED THREATS
TheEvolutionofSophosEndpointSecurityFromAnti-MalwaretoAnti-ExploittoNext-Generation
ExposurePrevention
URLBlockingWebScripts
DownloadRep
Pre-ExecAnalytics
GenericMatchingHeuristicsCoreRules
File-Scanning
SignaturesKnownMalwareMalwareBits
Run-Time
SignaturelessBehaviorAnalyticsRuntimeBehavior
ExploitDetection
TechniqueIdentification
EXECUTABLEFILES
MALICIOUSURLS
UNAUTHORIZEDAPPS
REMOVABLEMEDIA
EXPLOITPREVENTION
MSFILES&PDF
!
ADVANCEDCLEAN
RANSOMWAREPREVENTION
INCIDENTRESPONSE
DETECT RESPONDPREVENTBEFORE IT REACHES DEVICE BEFORE IT RUNS ON DEVICE
SOPHOS NEXT GENERATION ENDPOINT DETECTION AND RESPONSE
90%OF DATA BREACHES AREFROM EXPLOITS KITS
90%OF EXPLOIT KITS ARE BUILTFROM KNOWN VULNERABILITIES
AND YET…MORE THAN 60%OF ITSTAFFLACK INCIDENT RESPONSE SKILLS
Anatomyofaransomware attack
Andgone
Theransomwarewillthendeleteitselfleavingjusttheencryptedfilesandransomnotesbehind.
Ransomdemand
Amessageappearsontheuser’sdesktop,explaininghowaransom(oftenintheformofbitcoins)canbepaidwithinatimeframe ofe.g.72hourstoenabledecryptionofthedatawiththeprivatekeythatonlytheattacker’ssystemhasaccessto.
Encryptionofassets
Certainfilesarethenencryptedonthelocalcomputerandonallaccessiblenetworkdriveswiththispublickey.AutomaticbackupsoftheWindowsOS(shadowcopies)areoftendeletedtopreventdatarecovery.
Contactwiththecommand&controlserveroftheattacker
TheransomwaresendsinformationabouttheinfectedcomputertotheC&Cserveranddownloadsanindividualpublickeyforthiscomputer.
Installationviaanexploitkitorspamwithaninfectedattachment
Onceinstalledtheransomwaremodifiestheregistrykeys
2mainvectorsofattack
• SPAM (viasocialengineering)○ Seeminglyplausiblesender○ Hasattachmente.g.invoice,parceldeliverynote○ Theattachmentcontainsanembeddedmacro○ Whentheattachmentisopenedthemacrodownloads
andthenexecutestheransomwarepayload○ UsedbyLocky,TorrentLocker,CTB-Locker
• Exploitkits○ Blackmarkettoolsusedtoeasilycreateattacksthat
exploitknownorunknownvulnerabilities(zero-day)○ ClientsidevulnerabilitiesusuallytargettheWebbrowser○ UsedbyAngler,CryptoWall,TeslaCrypt,CrypVault,
ThreatFinder
AcommonLocky attack
• Youreceiveanemailcontaininganattacheddocument.o Thedocumentlookslikegobbledegook.o Thedocumentadvisesyoutoenablemacros“ifthedataencodingisincorrect.”
o Thecriminalswantyoutoclickonthe'Options'buttonatthetopofthepage.
• OnceyouclickOptions,Locky willstarttoexecuteonyourcomputer.• Assoonasitisreadytoaskyoufortheransom,itchangesyourdesktopwallpaper.• Theformatofthedemandvaries,buttheresultsarethesame.
Introducing
IntroducingSophosInterceptX
ADVANCEDMALWARE
ZERODAYEXPLOITS
LIMITEDVISIBILITY
Anti-Exploit
PreventExploitTechniques• SignaturelessExploitPrevention• ProtectsPatient-Zero/Zero-Day• BlocksMemory-ResidentAttacks• TinyFootprint&LowFalsePositives
NoUser/PerformanceImpactNoFileScanningNoSignatures
AutomatedIncidentResponse• ITFriendlyIncidentResponse• ProcessThreatChainVisualization• PrescriptiveRemediationGuidance• AdvancedMalwareClean
Root-CauseAnalysis
FasterIncidentResponseRoot-CauseVisualizationForensicStrengthClean
DetectNext-GenThreats• StopsMaliciousEncryption• BehaviorBasedConviction• AutomaticallyRevertsAffectedFiles• IdentifiessourceofAttack
Anti-Ransomware
PreventRansomwareAttacksRoll-BackChanges
AttackChainAnalysis
AnatomyofaRansomware Attack
ExploitKitorSpamwithInfection
Command&ControlEstablished
LocalFilesareEncrypted
Ransomwaredeleted,Ransom
Instructionsdelivered
CryptoGuard
• SimpleandComprehensive
• UniversallyPreventsSpontaneousEncryptionofData
• RestoresFilestoKnownState
• SimpleActivationinSophosCentralCRYPTOGUARD
CryptoGuard- InterceptingRansomware
Monitorfileaccess• Ifsuspicious filechangesaredetected,filecopiesarecreated
Attackdetected• Malicious processisstoppedandweinvestigatetheprocesshistory
Rollbackinitiated• Originalfilesrestored• Maliciousfilesremoved
Forensicvisibility• User message• Adminalert• Root causeanalysisdetailsavailable
NEW – Anti-ExploitAttackPrevention• Providesadvancedexploitprotectionbyfocusingon
commontechniquesusedbyattackers• Protectsapplicationsagainstzero-dayexploits,malicious
traffic,andprocessbreaches
UpdatedEndUser AgentUI UpdatedAdminUI
Root-CauseAnalyticsUnderstandingtheWho,What,When,Where,WhyandHow
WhatHappened?• RootCauseAnalysis
• Automaticreport@theprocess/threat/registrylevel• 90Daysofhistoricalreporting• DetailedVisualrepresentationofwhatotherassetshavebeentouched
WhatisatRisk?• CompromisedAssets
• Comprehensivelistofbusinessdocuments,executables,librariesandfiles• Anyadjacentdevice(i.e.,mobile)ornetworkresourceswhichmaybeatrisk
FuturePrevention• SecurityPosture
• Recommendationsbasedonhistoricalsecurityrisks• Providesstepstopreventfutureattacks• RichreportingofCompliancestatus
RootCauseAnalysisInterface
15
InterceptingExploits
ExploitPrevention• Monitorsprocessesforattempteduseofexploittechniquese.g Bufferoverflow,codeinjection,stackpivotandothers
• Blockswhentechniqueisattempted
• Malwareispreventedfromleveragingvulnerabilities
?
SophosCleanMalwareRemoval.VulnerabilityAssessment.
• 100%AutomatedwithInterceptX• AlsoavailableasastandaloneForensicCleanUtility
RemovesThreats• DeepSystemInspection• RemovesMalwareRemnants• FullQuarantine/Removal• EffectiveBreachRemediation
On-DemandAssessment• IdentifiesRiskyFiles/Processes• ConstantlyRefreshedDatabase• ProvidesAdditionalConfidence• Command-LineCapable
SophosInterceptX– TwoWaystoPlay
• Purposebuilttocomplimentandenhance”traditionalAV”solutions• Securityfocusedonexploittechniques,notmerelythetoolsused• DesignedfortheITGeneralist.PowerfulenoughfortheInfo-SecProfessional
The“UltimateBundle”• CentralEndpointAdvancedAdd-OnProduct• “UltimatePromo”Bundle– Contactre:Discount• UpgradestheEndpointtoaSingleAgent
ExistingAV?BetterTogether• ComplimentsandenhancestraditionalAV• AddsLevelsofProtectioncurrentlylacking• ProvidesaForensic-LevelClean
IntroducingSophosInterceptX
ADVANCEDMALWARE
ZERODAYEXPLOITS
LIMITEDVISIBILITY
Anti-Exploit
PreventExploitTechniques• SignaturelessExploitPrevention• ProtectsPatient-Zero/Zero-Day• BlocksMemory-ResidentAttacks• TinyFootprint&LowFalsePositives
NoUser/PerformanceImpactNoFileScanningNoSignatures
AutomatedIncidentResponse• ITFriendlyIncidentResponse• ProcessThreatChainVisualization• PrescriptiveRemediationGuidance• AdvancedMalwareClean
Root-CauseAnalysis
FasterIncidentResponseRoot-CauseVisualizationForensicStrengthClean
DetectNext-GenThreats• StopsMaliciousEncryption• BehaviorBasedConviction• AutomaticallyRevertsAffectedFiles• IdentifiessourceofAttack
Anti-Ransomware
PreventRansomwareAttacksRoll-BackChanges
AttackChainAnalysis
You’rebeinghacked…..
1983199519992001201020112015
“TRUTH IS STRANGER THAN FICTION”
21