intercept x is sophos answer to ransomware

InterceptXisSophosanswertoransomware

JoannaWziątek-ŁadoszSalesEngineer,Sophos

You’rebeinghacked…..

1983199519992001201020112015

“TRUTH IS STRANGER THAN FICTION”

3

MelissaVirus

1998

$1.2B

LoveLetterWorm

$15B

1999

$2.3B

2007

$800M

2014

LockyRansomware

$1.1B

2016

FinFischerSpyware

2003

$780M

ExploitasaService

$500M

2015

TRADITIONAL MALWARE ADVANCED THREATS

TheEvolutionofEndpointThreatsFromMalwaretoExploits

TRADITIONAL MALWARE ADVANCED THREATS

TheEvolutionofSophosEndpointSecurityFromAnti-MalwaretoAnti-ExploittoNext-Generation

ExposurePrevention

URLBlockingWebScripts

DownloadRep

Pre-ExecAnalytics

GenericMatchingHeuristicsCoreRules

File-Scanning

SignaturesKnownMalwareMalwareBits

Run-Time

SignaturelessBehaviorAnalyticsRuntimeBehavior

ExploitDetection

TechniqueIdentification

EXECUTABLEFILES

MALICIOUSURLS

UNAUTHORIZEDAPPS

REMOVABLEMEDIA

EXPLOITPREVENTION

MSFILES&PDF

!

ADVANCEDCLEAN

RANSOMWAREPREVENTION

INCIDENTRESPONSE

DETECT RESPONDPREVENTBEFORE IT REACHES DEVICE BEFORE IT RUNS ON DEVICE

SOPHOS NEXT GENERATION ENDPOINT DETECTION AND RESPONSE

90%OF DATA BREACHES AREFROM EXPLOITS KITS

90%OF EXPLOIT KITS ARE BUILTFROM KNOWN VULNERABILITIES

AND YET…MORE THAN 60%OF ITSTAFFLACK INCIDENT RESPONSE SKILLS

Anatomyofaransomware attack

Andgone

Theransomwarewillthendeleteitselfleavingjusttheencryptedfilesandransomnotesbehind.

Ransomdemand

Amessageappearsontheuser’sdesktop,explaininghowaransom(oftenintheformofbitcoins)canbepaidwithinatimeframe ofe.g.72hourstoenabledecryptionofthedatawiththeprivatekeythatonlytheattacker’ssystemhasaccessto.

Encryptionofassets

Certainfilesarethenencryptedonthelocalcomputerandonallaccessiblenetworkdriveswiththispublickey.AutomaticbackupsoftheWindowsOS(shadowcopies)areoftendeletedtopreventdatarecovery.

Contactwiththecommand&controlserveroftheattacker

TheransomwaresendsinformationabouttheinfectedcomputertotheC&Cserveranddownloadsanindividualpublickeyforthiscomputer.

Installationviaanexploitkitorspamwithaninfectedattachment

Onceinstalledtheransomwaremodifiestheregistrykeys

2mainvectorsofattack

• SPAM (viasocialengineering)￮ Seeminglyplausiblesender￮ Hasattachmente.g.invoice,parceldeliverynote￮ Theattachmentcontainsanembeddedmacro￮ Whentheattachmentisopenedthemacrodownloads

andthenexecutestheransomwarepayload￮ UsedbyLocky,TorrentLocker,CTB-Locker

• Exploitkits￮ Blackmarkettoolsusedtoeasilycreateattacksthat

exploitknownorunknownvulnerabilities(zero-day)￮ ClientsidevulnerabilitiesusuallytargettheWebbrowser￮ UsedbyAngler,CryptoWall,TeslaCrypt,CrypVault,

ThreatFinder

AcommonLocky attack

• Youreceiveanemailcontaininganattacheddocument.o Thedocumentlookslikegobbledegook.o Thedocumentadvisesyoutoenablemacros“ifthedataencodingisincorrect.”

o Thecriminalswantyoutoclickonthe'Options'buttonatthetopofthepage.

• OnceyouclickOptions,Locky willstarttoexecuteonyourcomputer.• Assoonasitisreadytoaskyoufortheransom,itchangesyourdesktopwallpaper.• Theformatofthedemandvaries,buttheresultsarethesame.

Introducing

IntroducingSophosInterceptX

ADVANCEDMALWARE

ZERODAYEXPLOITS

LIMITEDVISIBILITY

Anti-Exploit

PreventExploitTechniques• SignaturelessExploitPrevention• ProtectsPatient-Zero/Zero-Day• BlocksMemory-ResidentAttacks• TinyFootprint&LowFalsePositives

NoUser/PerformanceImpactNoFileScanningNoSignatures

AutomatedIncidentResponse• ITFriendlyIncidentResponse• ProcessThreatChainVisualization• PrescriptiveRemediationGuidance• AdvancedMalwareClean

Root-CauseAnalysis

FasterIncidentResponseRoot-CauseVisualizationForensicStrengthClean

DetectNext-GenThreats• StopsMaliciousEncryption• BehaviorBasedConviction• AutomaticallyRevertsAffectedFiles• IdentifiessourceofAttack

Anti-Ransomware

PreventRansomwareAttacksRoll-BackChanges

AttackChainAnalysis

AnatomyofaRansomware Attack

ExploitKitorSpamwithInfection

Command&ControlEstablished

LocalFilesareEncrypted

Ransomwaredeleted,Ransom

Instructionsdelivered

CryptoGuard

• SimpleandComprehensive

• UniversallyPreventsSpontaneousEncryptionofData

• RestoresFilestoKnownState

• SimpleActivationinSophosCentralCRYPTOGUARD

CryptoGuard- InterceptingRansomware

Monitorfileaccess• Ifsuspicious filechangesaredetected,filecopiesarecreated

Attackdetected• Malicious processisstoppedandweinvestigatetheprocesshistory

Rollbackinitiated• Originalfilesrestored• Maliciousfilesremoved

Forensicvisibility• User message• Adminalert• Root causeanalysisdetailsavailable

NEW – Anti-ExploitAttackPrevention• Providesadvancedexploitprotectionbyfocusingon

commontechniquesusedbyattackers• Protectsapplicationsagainstzero-dayexploits,malicious

traffic,andprocessbreaches

UpdatedEndUser AgentUI UpdatedAdminUI

Root-CauseAnalyticsUnderstandingtheWho,What,When,Where,WhyandHow

WhatHappened?• RootCauseAnalysis

• Automaticreport@theprocess/threat/registrylevel• 90Daysofhistoricalreporting• DetailedVisualrepresentationofwhatotherassetshavebeentouched

WhatisatRisk?• CompromisedAssets

• Comprehensivelistofbusinessdocuments,executables,librariesandfiles• Anyadjacentdevice(i.e.,mobile)ornetworkresourceswhichmaybeatrisk

FuturePrevention• SecurityPosture

• Recommendationsbasedonhistoricalsecurityrisks• Providesstepstopreventfutureattacks• RichreportingofCompliancestatus

RootCauseAnalysisInterface

15

InterceptingExploits

ExploitPrevention• Monitorsprocessesforattempteduseofexploittechniquese.g Bufferoverflow,codeinjection,stackpivotandothers

• Blockswhentechniqueisattempted

• Malwareispreventedfromleveragingvulnerabilities

?

SophosCleanMalwareRemoval.VulnerabilityAssessment.

• 100%AutomatedwithInterceptX• AlsoavailableasastandaloneForensicCleanUtility

RemovesThreats• DeepSystemInspection• RemovesMalwareRemnants• FullQuarantine/Removal• EffectiveBreachRemediation

On-DemandAssessment• IdentifiesRiskyFiles/Processes• ConstantlyRefreshedDatabase• ProvidesAdditionalConfidence• Command-LineCapable

SophosInterceptX– TwoWaystoPlay

• Purposebuilttocomplimentandenhance”traditionalAV”solutions• Securityfocusedonexploittechniques,notmerelythetoolsused• DesignedfortheITGeneralist.PowerfulenoughfortheInfo-SecProfessional

The“UltimateBundle”• CentralEndpointAdvancedAdd-OnProduct• “UltimatePromo”Bundle– Contactre:Discount• UpgradestheEndpointtoaSingleAgent

ExistingAV?BetterTogether• ComplimentsandenhancestraditionalAV• AddsLevelsofProtectioncurrentlylacking• ProvidesaForensic-LevelClean

IntroducingSophosInterceptX

ADVANCEDMALWARE

ZERODAYEXPLOITS

LIMITEDVISIBILITY

Anti-Exploit

PreventExploitTechniques• SignaturelessExploitPrevention• ProtectsPatient-Zero/Zero-Day• BlocksMemory-ResidentAttacks• TinyFootprint&LowFalsePositives

NoUser/PerformanceImpactNoFileScanningNoSignatures

AutomatedIncidentResponse• ITFriendlyIncidentResponse• ProcessThreatChainVisualization• PrescriptiveRemediationGuidance• AdvancedMalwareClean

Root-CauseAnalysis

FasterIncidentResponseRoot-CauseVisualizationForensicStrengthClean

DetectNext-GenThreats• StopsMaliciousEncryption• BehaviorBasedConviction• AutomaticallyRevertsAffectedFiles• IdentifiessourceofAttack

Anti-Ransomware

PreventRansomwareAttacksRoll-BackChanges

AttackChainAnalysis

You’rebeinghacked…..

1983199519992001201020112015

“TRUTH IS STRANGER THAN FICTION”

intercept x is sophos answer to ransomware

Documents

Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)

Sophos UTM Web Protection - Sophos Products and Solutions · Sophos Datasheet 3 Sophos UTM Web Protection “With Sophos Web Protection our employee casual surfing and time wasting

Sophos Mobile Control Administratorhilfe · 2 Über Sophos Mobile Control Sophos Mobile Control Sophos Mobile Control ist eine Verwaltungssoftware für Mobilgeräte wie Smartphones

Sophos Email Appliance · Sophos Email Appliance User Guide Product Version 4.3 Sophos Limited 2018

Sophos Enterprise Console Upgrade-Anleitung...• Sophos Enterprise Console 5.2.0 • Sophos Enterprise Console 5.1 • Sophos Enterprise Console 5.0 Hinweis Wenn Sie ein Upgrade von

Intercept X - JKC · Security Heartbeat automaticky izoluje nakaženou stanici. Integrace se Sophos Central Advanced Sophos Intercept X je rozšíření aktivní obrany, které funguje

Sophos XG Firewall - Hix Technologieshixtechnologies.com/img/hix/sophos/sophos-xg-series-appliances-brna.pdfSecurity Heartbeat Crea una conexión entre los endpoint de Sophos Cloud

소포스 인터셉트 엑스 소개 (Sophos Intercept X)

Sophos XG Firewall - Thaibiz Provider · Sophos XG Firewall provides all the latest advanced technology you need to protect your network from ransomware and advanced threats including

Die moderne Bedrohungslage Ransomware/Exploits · Security Heartbeat Anti-Exploit Anti-Ransomware Ursachenanalyse Sophos Clean Sophos Central Sophos Central Endpoint Standard Sophos

npi.ph€¦ · SOPHOS Security made simple, Sophos Mobile Control Mobile Productivity with Sophos Security. Sophos Mobile Control secures mobile devices and protects corporate data

Sophos アンインストール F-Secure インストールマニュアル ......2017/08/25 · 5.Sophos AutoUpdate 6.Sophos Endpoint Defense ※ 3. Sophos Anti-Virusをアンイ

Sophos UTM 9 - Infinigate (Schweiz)Sophos Sandstorm –0-Day Malware ProtectionVerfügbar für Sophos UTM / SG Sophos XG Firewall Sophos Email Appliance Sophos Web Appliance Sophos

Sophos makes IT security simple with next-generation ... · Sophos becomes Gartner Magic Quadrant Leader in both Network and Endpoint. Intercept X is also launched, which is recognised

How to Stay Protected Against Ransomware€¦ · How to Stay Protected Against Ransomware A Sophos Whitepaper August 2016 Protection technologies to help keep you secure against ransomware

Sophos SafeGuard Disk Encryption, Sophos SafeGuard

Migration auf Sophos Security Heartbeat™€¦ · *Sophos Cloud Endpoint Protection Advanced oder Sophos Cloud Enduser Protection erforderlich Ihr Sophos-Partner stellt Ihnen gerne

Sophos Intercept X for Mobile...Sophos Intercept X for Mobile 5 Web フィルタリング「Web フィルタリング」を使して、管理者は悪意のあるコンテンツや不適切または違法なコンテン

How to Stay Protected Against Ransomwaresn.gruppocdm.it/wp-content/uploads/2016/10/sophos... · How to Stay Protected Against Ransomware A Sophos Whitepaper August 2016 How does a

Sophos protection for healthcare providers€¦ · Visibility into your network, users, and apps Ì End-to-end endpoint protection The industry’s top-rated malware detection, ransomware

Securing with Sophos - Sophos Day Belux 2014

Event holding slide - edist.itedist.it/wp-content/uploads/2018/02/Soluzioni-Sophos-SGN-Mobile... · Meterpreter shell detection. SOPHOS INTERCEPT X: THE POWER OF THE PLUS KNOWN THREATS

1 - Sophos Ransomware Budapest Apr2016 - TMSI · ￮ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ￮ Black market tools used to easily create attacks that exploit known

Find the x-intercept, y-intercept and slope x-intercept = y-intercept = Slope = _

Sophos Email Security and Data Protection - Softchoicem.softchoice.com/.../sophos/sophos-email-security... · Sophos if corrective action is needed to maintain email security Solutions

Sophos Intercept X for Mobile · 3 Panel de control El panel de control de Sophos Intercept X for Mobile le ofrece una visión general del estado de seguridad del dispositivo. Las

Preliminary study: Sophos Intercept X vs Adaptive Defensepartnernews.pandasecurity.com/za/src/uploads/2015/12/AD... · 2017-02-22 · Preliminary study: Sophos Intercept X vs Adaptive

Sophos Mobile...Sophos Mobile の導ステップは次のとおりです。1.任意: Mobile Advanced ライセンスをアクティベートして、Sophos Intercept X for Mobile、Sophos

Sophos Mobile · 2020. 4. 29. · Sophos Mobile 2 有哪些重要步骤？要开始使用 Sophos Mobile： 1. 可选：激活您的 Mobile Advanced 许可证以管理 Sophos Intercept

Sophos Intercept X - tecnozero Soluciones Informaticas

Sophos Endpoint Security and Control standalone …sinetcomm.com/common/Sophos/standalone_70_seng.pdf · Sophos Endpoint Security and Control ... Sophos Endpoint Security and Control

Edexec-2019-Manchester-presentation · 2019-12-19 · MERAKI – Mobile Device Management c. Intercept X – anti ransomware d. ... Security Operations Centre – alerting and monitoring

Sophos what's new: Intercept X, ML & Co. · Sophos –30 Jahre Erfahrung •Akquisition u.a. von Utimaco 2009, Astaro 2011, Dialogs 2012, Cyberoam 2014, SurfRight 2015, invincea 2017

Taking the battle to Ransomware with Sophos Intercept X

Ransomware: Next-Generation Fake Antivirus - Sophos