Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CSO Breakfast in Partnership with ESET - Juraj Malcho Presentation

444 views

Published on

CSO Breakfast in Partnership with ESET - Juraj Malcho Presentation

Published in: Technology
  • Be the first to comment

CSO Breakfast in Partnership with ESET - Juraj Malcho Presentation

  1. 1. Are we doing enough? Juraj Malcho Chief Research Officer ESET
  2. 2. Agenda • Malware scene of today • Anything special about Australia? • Are security solutions dead and ineffective? • How to manage to survive (and sleep at night)? • How dark is the future of ICT security?
  3. 3. Malware prevalence AUS 2013 consumer vs business Threat infection share total share Win32/Toolbar.Conduit.B 7.95% 0.75% Win32/Toolbar.SearchSuite 4.81% 0.45% Win32/Toolbar.Conduit.P 4.48% 0.42% Win32/Toolbar.Widgi 3.58% 0.34% Win32/AdInstaller 3.05% 0.29% Win32/SoftonicDownloader.E 2.95% 0.28% Win32/Toolbar.Babylon.E 2.71% 0.25% Win32/DownloadAdmin.G 2.49% 0.23% Win32/Toolbar.Visicom.A 2.48% 0.23% Win32/Toolbar.MyWebSearch 2.38% 0.22% Win32/Toolbar.Conduit.Q 2.38% 0.22% Win32/Somoto.A 2.33% 0.22% Win32/Toolbar.Babylon.A 2.32% 0.22% Win32/Toolbar.Conduit.O 2.22% 0.21% Win32/Adware.Yontoo.B 2.13% 0.20% Win32/Toolbar.Linkury.A 2.09% 0.20% Win32/Toolbar.Visicom.C 2.03% 0.19% Win32/bProtector.A 2.00% 0.19% Win32/Toolbar.Visicom.B 1.89% 0.18% HTML/Iframe.B.Gen 1.89% 0.18% Threat infection share total share Win32/Toolbar.Widgi 4.89% 0.49% Win32/Toolbar.Conduit.B 4.48% 0.45% Win32/Toolbar.SearchSuite 3.80% 0.38% HTML/Iframe.B.Gen 3.56% 0.36% HTML/ScrInject.B.Gen 3.13% 0.32% Win32/Toolbar.Conduit.P 2.59% 0.26% Win32/DownloadAdmin.G 2.54% 0.26% Win32/AdInstaller 2.49% 0.25% Win32/SoftonicDownloader.E 2.11% 0.21% Win32/InstallIQ 2.11% 0.21% Win32/Toolbar.MyWebSearch 2.10% 0.21% Win32/NetTool.Portscan.C 2.06% 0.21% Win32/Tool.EvID4226 2.03% 0.21% Win32/Keygen.AO 2.02% 0.20% Win32/Keygen.CY 2.02% 0.20% Win32/bProtector.A 1.84% 0.19% Win32/Toolbar.Babylon.E 1.82% 0.18% Win32/Toolbar.Linkury.A 1.80% 0.18% Win32/Spy.Zbot.AAU 1.66% 0.17% Win32/InstallIQ.A 1.64% 0.17%
  4. 4. Malware prevalence AUS 2014 consumer vs business Threat infection share total share Win32/Toolbar.Conduit.Y 8.32% 0.50% Win32/Toolbar.Conduit.B 6.83% 0.41% Win32/Toolbar.Conduit 4.57% 0.28% Win32/Toolbar.Conduit.P 4.16% 0.25% Win32/Conduit.SearchProtect.N 3.69% 0.22% Win32/PriceGong.A 3.66% 0.22% Win32/Systweak 3.37% 0.20% MSIL/MyPCBackup.A 3.07% 0.19% Suspicious 3.07% 0.19% Win32/Toolbar.Conduit.X 2.85% 0.17% Win32/Toolbar.Conduit.Q 2.77% 0.17% Win32/Conduit.SearchProtect.H 2.76% 0.17% Win32/Toolbar.Conduit.H 2.62% 0.16% Win32/Toolbar.Conduit.O 2.49% 0.15% Win32/Toolbar.Conduit.AH 2.33% 0.14% Win32/Toolbar.MyWebSearch.AC 2.04% 0.12% Win32/Toolbar.Visicom.B 2.01% 0.12% Win64/Toolbar.Conduit.B 1.99% 0.12% Win32/ClientConnect.A 1.87% 0.11% JS/Toolbar.Crossrider.B 1.86% 0.11% Win32/TrojanDownloader.Wauchos.AF 1.82% 0.11% Threat infection share total share Win32/Toolbar.Conduit.Y 5.83% 0.39% Win32/Toolbar.Conduit.B 5.22% 0.35% Win32/Conduit.SearchProtect.N 3.82% 0.26% Win32/TrojanDownloader.Wauchos.AF 3.65% 0.25% Win32/TrojanDownloader.Waski.A 3.52% 0.24% Win32/PriceGong.A 2.52% 0.17% Win32/Rovnix.X 2.50% 0.17% Win32/Toolbar.Conduit.P 2.50% 0.17% MSIL/MyPCBackup.A 2.24% 0.15% Win32/Toolbar.Conduit.X 2.23% 0.15% Win32/Toolbar.Conduit.Q 2.20% 0.15% Win32/Toolbar.Conduit.H 2.11% 0.14% Win32/Toolbar.Conduit 2.09% 0.14% Suspicious 2.02% 0.14% Win32/Conduit.SearchProtect.P 1.95% 0.13% Win32/Systweak 1.79% 0.12% Win32/Toolbar.Conduit.AH 1.79% 0.12% Win32/AdInstaller 1.77% 0.12% Win32/Toolbar.Montiera.A 1.74% 0.12% Win32/Toolbar.Conduit.V 1.66% 0.11% Win32/TrojanDownloader.Waski.F 1.61% 0.11%
  5. 5. Malware prevalence AUS 2015 consumer vs business Threat infection share total share Suspicious 8.39% 0.40% Win32/TrojanDownloader.Waski.F 4.19% 0.20% Win32/Toolbar.Conduit.Y 2.76% 0.13% Win32/Systweak 2.03% 0.10% Win32/TrojanDownloader.Waski.A 1.89% 0.09% Win32/Conduit.SearchProtect.N 1.67% 0.08% Win32/ClientConnect.A 1.55% 0.07% Win32/AdkDLLWrapper.A 1.50% 0.07% Win32/Systweak.L 1.50% 0.07% Win32/TrojanDownloader.Waski.Z 1.37% 0.07% Win32/Toolbar.MyWebSearch.AC 1.36% 0.06% JS/Toolbar.Crossrider.B 1.23% 0.06% Win32/Systweak.N 1.21% 0.06% Win32/Toolbar.Conduit.B 1.21% 0.06% Win32/Toolbar.Conduit.O 1.16% 0.06% Win32/Toolbar.Conduit.X 1.15% 0.05% Win32/Toolbar.Conduit.Q 1.13% 0.05% Win32/Toolbar.MyWebSearch.AA 1.12% 0.05% MSIL/MyPCBackup.A 1.08% 0.05% Win32/Conduit.SearchProtect.H 1.04% 0.05% Threat infection share total share Win32/TrojanDownloader.Waski.F 7.56% 0.45% Suspicious 4.98% 0.30% Win32/TrojanDownloader.Waski.A 3.31% 0.20% Win32/Toolbar.Conduit.Y 2.76% 0.16% Win32/TrojanDownloader.Waski.Z 2.30% 0.14% Win32/Conduit.SearchProtect.N 1.81% 0.11% Win32/Toolbar.MyWebSearch.AO 1.46% 0.09% Win32/Filecoder.DI 1.37% 0.08% Win32/TrojanDownloader.Wauchos.AK 1.23% 0.07% Win32/Systweak 1.20% 0.07% Win32/Conduit.SearchProtect.P 0.99% 0.06% MSIL/MyPCBackup.F 0.97% 0.06% Win32/Toolbar.Conduit.B 0.97% 0.06% Win32/Systweak.L 0.97% 0.06% Win32/Toolbar.Conduit.O 0.96% 0.06% Win32/Systweak.N 0.96% 0.06% Win32/Toolbar.Conduit.Q 0.89% 0.05% Win32/TrojanDownloader.Agent.BEL 0.86% 0.05% Win32/Danger.DoubleExtension 0.84% 0.05% Win32/Toolbar.Visicom.B 0.83% 0.05%
  6. 6. Malware prevalence 2015 AUS vs USA business Threat infection share total share Win32/TrojanDownloader.Waski.F 7.56% 0.45% Suspicious 4.98% 0.30% Win32/TrojanDownloader.Waski.A 3.31% 0.20% Win32/Toolbar.Conduit.Y 2.76% 0.16% Win32/TrojanDownloader.Waski.Z 2.30% 0.14% Win32/Conduit.SearchProtect.N 1.81% 0.11% Win32/Toolbar.MyWebSearch.AO 1.46% 0.09% Win32/Filecoder.DI 1.37% 0.08% Win32/TrojanDownloader.Wauchos.AK 1.23% 0.07% Win32/Systweak 1.20% 0.07% Win32/Conduit.SearchProtect.P 0.99% 0.06% MSIL/MyPCBackup.F 0.97% 0.06% Win32/Toolbar.Conduit.B 0.97% 0.06% Win32/Systweak.L 0.97% 0.06% Win32/Toolbar.Conduit.O 0.96% 0.06% Win32/Systweak.N 0.96% 0.06% Win32/Toolbar.Conduit.Q 0.89% 0.05% Win32/TrojanDownloader.Agent.BEL 0.86% 0.05% Win32/Danger.DoubleExtension 0.84% 0.05% Win32/Toolbar.Visicom.B 0.83% 0.05% Threat infection share total share Win32/Toolbar.Conduit.Y 3.59% 0.14% Win32/Toolbar.MyWebSearch.AO 2.73% 0.10% Win32/TrojanDownloader.Waski.F 2.47% 0.09% HTML/ScrInject.B.Gen 2.39% 0.09% Win32/Systweak 2.21% 0.08% Win32/Toolbar.Conduit.X 1.92% 0.07% Suspicious 1.85% 0.07% Win32/Conduit.SearchProtect.N 1.83% 0.07% MSIL/MyPCBackup.F 1.76% 0.07% Win32/AdInstaller 1.54% 0.06% JS/Toolbar.Crossrider.B 1.52% 0.06% Win32/Toolbar.MyWebSearch.AC 1.51% 0.06% Win32/DealPly.S 1.51% 0.06% Win32/Systweak.L 1.49% 0.06% Win32/ClientConnect.A 1.46% 0.06% MSIL/MyPCBackup.A 1.42% 0.05% Win32/Toolbar.Visicom.B 1.38% 0.05% Win32/Systweak.N 1.38% 0.05% Win32/InstallIQ.A 1.29% 0.05% HTML/FakeAlert.AK 1.28% 0.05%
  7. 7. Malware prevalence 2015 AUS vs USA consumer Threat infection share total share Suspicious 8.39% 0.40% Win32/TrojanDownloader.Waski.F 4.19% 0.20% Win32/Toolbar.Conduit.Y 2.76% 0.13% Win32/Systweak 2.03% 0.10% Win32/TrojanDownloader.Waski.A 1.89% 0.09% Win32/Conduit.SearchProtect.N 1.67% 0.08% Win32/ClientConnect.A 1.55% 0.07% Win32/AdkDLLWrapper.A 1.50% 0.07% Win32/Systweak.L 1.50% 0.07% Win32/TrojanDownloader.Waski.Z 1.37% 0.07% Win32/Toolbar.MyWebSearch.AC 1.36% 0.06% JS/Toolbar.Crossrider.B 1.23% 0.06% Win32/Systweak.N 1.21% 0.06% Win32/Toolbar.Conduit.B 1.21% 0.06% Win32/Toolbar.Conduit.O 1.16% 0.06% Win32/Toolbar.Conduit.X 1.15% 0.05% Win32/Toolbar.Conduit.Q 1.13% 0.05% Win32/Toolbar.MyWebSearch.AA 1.12% 0.05% MSIL/MyPCBackup.A 1.08% 0.05% Win32/Conduit.SearchProtect.H 1.04% 0.05% Threat infection share total share Suspicious 4.00% 0.15% Win32/Toolbar.Conduit.Y 3.11% 0.12% Win32/Systweak 2.54% 0.10% HTML/ScrInject.B.Gen 2.18% 0.08% JS/Toolbar.Crossrider.B 2.14% 0.08% Win32/ClientConnect.A 2.13% 0.08% Win32/Conduit.SearchProtect.N 1.96% 0.08% MSIL/MyPCBackup.A 1.86% 0.07% Win32/Systweak.L 1.77% 0.07% Win32/Toolbar.MyWebSearch.AC 1.64% 0.06% MSIL/MyPCBackup.F 1.61% 0.06% Win32/Toolbar.MyWebSearch.AA 1.61% 0.06% JS/Toolbar.Crossrider.G 1.57% 0.06% Win32/TrojanDownloader.Waski.F 1.53% 0.06% REG/Agent.AK 1.50% 0.06% HTML/FakeAlert.AK 1.46% 0.06% Win32/Systweak.N 1.43% 0.06% Win32/Toolbar.Conduit.X 1.39% 0.05% Win32/Toolbar.Conduit.AH 1.36% 0.05% Win32/Toolbar.MyWebSearch.AO 1.35% 0.05%
  8. 8. Malware prevalence 2015 AUS vs IDN business Threat infection share total share Win32/TrojanDownloader.Waski.F 7.56% 0.45% Suspicious 4.98% 0.30% Win32/TrojanDownloader.Waski.A 3.31% 0.20% Win32/Toolbar.Conduit.Y 2.76% 0.16% Win32/TrojanDownloader.Waski.Z 2.30% 0.14% Win32/Conduit.SearchProtect.N 1.81% 0.11% Win32/Toolbar.MyWebSearch.AO 1.46% 0.09% Win32/Filecoder.DI 1.37% 0.08% Win32/TrojanDownloader.Wauchos.AK 1.23% 0.07% Win32/Systweak 1.20% 0.07% Win32/Conduit.SearchProtect.P 0.99% 0.06% MSIL/MyPCBackup.F 0.97% 0.06% Win32/Toolbar.Conduit.B 0.97% 0.06% Win32/Systweak.L 0.97% 0.06% Win32/Toolbar.Conduit.O 0.96% 0.06% Win32/Systweak.N 0.96% 0.06% Win32/Toolbar.Conduit.Q 0.89% 0.05% Win32/TrojanDownloader.Agent.BEL 0.86% 0.05% Win32/Danger.DoubleExtension 0.84% 0.05% Win32/Toolbar.Visicom.B 0.83% 0.05% Threat infection share total share LNK/Agent.AV 7.93% 1.02% Win32/Ramnit.A 4.38% 0.57% LNK/Autostart.A 3.39% 0.44% Win32/Virut.NBP 3.10% 0.40% Win32/Ramnit.F 3.02% 0.39% Defo 2.94% 0.38% Win32/Ramnit.H 2.88% 0.37% JS/Kryptik.I 2.85% 0.37% Win32/Toolbar.MyWebSearch.AO 2.50% 0.32% INF/Autorun.gen 2.43% 0.31% JS/Toolbar.Crossrider.B 2.30% 0.30% Win32/Toolbar.SearchSuite.C 2.15% 0.28% Win32/Conficker.X 2.01% 0.26% Win32/Conficker.AA 2.00% 0.26% Win32/Sality.NBA 1.98% 0.26% Win32/Sality.NBJ 1.85% 0.24% LNK/Exploit.CVE-2010-2568 1.80% 0.23% Win32/SProtector.D 1.78% 0.23% LNK/Agent.AK 1.77% 0.23% Win32/Slugin.A 1.77% 0.23%
  9. 9. Malware prevalence 2015 AUS vs IDN consumer Threat infection share total share Suspicious 8.39% 0.40% Win32/TrojanDownloader.Waski.F 4.19% 0.20% Win32/Toolbar.Conduit.Y 2.76% 0.13% Win32/Systweak 2.03% 0.10% Win32/TrojanDownloader.Waski.A 1.89% 0.09% Win32/Conduit.SearchProtect.N 1.67% 0.08% Win32/ClientConnect.A 1.55% 0.07% Win32/AdkDLLWrapper.A 1.50% 0.07% Win32/Systweak.L 1.50% 0.07% Win32/TrojanDownloader.Waski.Z 1.37% 0.07% Win32/Toolbar.MyWebSearch.AC 1.36% 0.06% JS/Toolbar.Crossrider.B 1.23% 0.06% Win32/Systweak.N 1.21% 0.06% Win32/Toolbar.Conduit.B 1.21% 0.06% Win32/Toolbar.Conduit.O 1.16% 0.06% Win32/Toolbar.Conduit.X 1.15% 0.05% Win32/Toolbar.Conduit.Q 1.13% 0.05% Win32/Toolbar.MyWebSearch.AA 1.12% 0.05% MSIL/MyPCBackup.A 1.08% 0.05% Win32/Conduit.SearchProtect.H 1.04% 0.05% Threat infection share total share LNK/Agent.AV 7.45% 1.12% Win32/Ramnit.A 5.11% 0.76% JS/Toolbar.Crossrider.B 4.45% 0.67% Win32/Virut.NBP 4.33% 0.65% LNK/Autostart.A 4.29% 0.64% Win32/Ramnit.F 3.98% 0.60% INF/Autorun.gen 2.88% 0.43% Win32/Ramnit.H 2.88% 0.43% JS/Toolbar.Crossrider.G 2.63% 0.39% Defo 2.38% 0.36% Win32/Sality.NBA 2.37% 0.36% Win32/AlteredSoftware.C 2.36% 0.35% LNK/Agent.AK 2.22% 0.33% Win32/ELEX.BM 1.90% 0.28% Win32/Toolbar.Visicom.B 1.81% 0.27% Win32/Slugin.A 1.75% 0.26% Win32/AlteredSoftware.A 1.74% 0.26% BAT/BadJoke.AP 1.72% 0.26% Win32/Sality 1.71% 0.26% Win32/Toolbar.CrossRider.CD 1.70% 0.26%
  10. 10. Incident ratio 2013-2015
  11. 11. Filecoders prevalence 2015 consumer vs business Country infection share total share Australia 2.70% 0.16% Spain 2.36% 0.16% Italy 2.44% 0.12% South Africa 1.47% 0.11% United States 2.73% 0.10% Canada 1.81% 0.09% Belgium 1.50% 0.07% Malaysia 0.74% 0.07% United Kingdom 0.98% 0.06% Russia 0.96% 0.06% Bulgaria 0.93% 0.06% Portugal 0.88% 0.06% United Arab Emirates 0.45% 0.05% Netherlands 1.18% 0.04% Country infection share total share South Africa 1.39% 0.10% Spain 1.45% 0.09% United States 1.80% 0.07% Australia 1.50% 0.07% Israel 0.82% 0.06% Canada 1.12% 0.05% United Kingdom 0.87% 0.05% Turkey 0.63% 0.05% Thailand 0.41% 0.05% New Zealand 1.07% 0.04% Netherlands 0.97% 0.04% Italy 0.91% 0.04% Singapore 0.50% 0.04% Belgium 0.83% 0.03%
  12. 12. Targeted campaigns
  13. 13. Massive spreading not en vogue anymore • The most burning issues rarely make it to top20 today: ransomware, banking Trojans, targeted malware • Top ranks are completely taken by Potentially Unwanted Software • Staying under the radar and tailoring malware for specific targets is the main focus today
  14. 14. IoT aka Internet of Threats • The history repeats again: Time to market is the most important thing, not security • Problematic from simple ones to complex ones – smart sensors, bulbs, intelligent home devices, smart TVs, internet routers, cars, mobile phones • Could I get a “non-smart” option, please???
  15. 15. Fixing IoT • Simple ones need strict End of Life policy – They won’t update, they’re extremely cheap • Complex ones must be easy to update – Really? Home routers, cars, mobile phones? • Are legislation and industry standards going to save us? • Endpoint protection is almost impossible – We hear those saying firewalls are dead
  16. 16. Android/Simplocker
  17. 17. Android/Simplocker • Currently around 50 variants • Localization • Ransom amount 15->500$ • Better „self-defense“ • Encrypting archives • „Better” cryptography vs.
  18. 18. Linux/Moose
  19. 19. APT or TPA? • If detected out of the box then the attacker failed • Advanced Persistent Threat is completely wrong – those threats are usually not advanced, not everything is Stuxnet – the malware itself is just a tool to perform an attack – it’s the attacker who’s persistent • Targeted Persistent Attack is much more spot on – Attackers combine different methods when doing reconnaissance – phishing phone call, targeting email borne malware to different people in an organization
  20. 20. Is AV dead? • Yes, for about 20 years if you’re talking about the original technology • However, it followed malware evolution: – Network communication inspection – botnets, exploitation, exfiltration – Emulation/sandboxing of analyzed code – Behavioral monitoring and memory scanning – Exploitation blocking – Cloud-based reputation systems – Stealth detections which can’t be tested by malware writers – Gradual move from automatic to more verbose/interactive solutions
  21. 21. Bold words from the other side • Q: What types of security devices/services/techniques legitimately make your life harder as a blackhat? Any that you think are a complete waste of money? • A: Hmmmm, DDoS protection is a serious knock back, although as many groups have proven before it’s easy to bypass – e.g. cloudflare resolver before they changed the protection method (almost bypassable lol). Things that are a waste of money… Hmm, anti-virus is completely useless — yes it may protect you from skids using non-FUD files but that’s it. Every botnet that gets sold comes FUD as default. People do it for free, it’s that easy.
  22. 22. CurrentAndroid Malware
  23. 23. "HAHAHA THE AVS FELL FOR THE LAST STRING F*****G ICARUS AND ASQUARED I JUST WISH NOD32 WOULD LEAVE ME ALONE FOR A FEW DAT ITS PISSING ME OFF THIS IS HOW I LIVE" "THIS-IS-HOW-I-LIVE-AND-PAY-MY-BILLS-GIVE- ME-A-BREAK" The irritated author of Dorkbot
  24. 24. The Irritated Author of Win32/Dorkbot "HAHAHA THE AVS FELL FOR THE LAST STRING FUCKING ICARUS AND ASQUARED I JUST WISH NOD32 WOULD LEAVE ME ALONE FOR A FEW DAT ITS PISSING ME OFF THIS IS HOW I LIVE" "THIS-IS-HOW-I-LIVE-AND-PAY-MY-BILLS-GIVE- ME-A-BREAK" HOW CAN I PAY BILLS RENT FOOD WEALTH AND EVERYTHING NECESSARY IF NOD IS ALWAYS F******G UP MY CODES
  25. 25. What else is out there? • Endpoint Detection and Response systems provide insight into behavior of your IT systems, however, there’s a reporting challenge • Malware Prevention Systems (automated sandboxing and analysis) • Intelligence Services and Managed Security • Deception techniques • SIEM
  26. 26. How to choose the right solution? • Consulting analysts such as Gartner or public testers may help but doesn’t provide definitive answer and might have bias you’re not aware of • Internal testing is best but very difficult; you will likely be biased, too, but aware of it • Depending also on your needs: not only detection is important, but footprint, reliability, manageability, support quality etc
  27. 27. What’s the right SMB defense? • Unless a very specific vertical it’s unlikely that a true high profile targeted attack would be conducted • Typically not enough expertise in SMBs • Automagic solutions work best, but of course can be bypassed • If unable to manage more complex/interactive solutions, look for MSSP • Cloud-based solutions may help where applicable as large providers can implement better security measures
  28. 28. How about enterprise? • Defense needs have to adequately cover your potential adversaries • Combine different layers and don’t advertise them; SIEM management • Educate your teams • Trust but verify – employ network logging and look for anomaly
  29. 29. Future issues • When IoT truly lifts off • When cloud adoption will be massive (access management, governance, political issues) • Conflicting legislation: strict privacy and encryption laws vs lawful(?) surveillance => leading to governments attacking security SW • Global e-conflicts, cyber armies and attribution
  30. 30. Solving the situation • Active & Adequate Cyber Defense • Training, Education and Awareness • Responsible design and usage • Research & Investigation, cooperation with LE • Hitting criminals’ money flow • Preventing criminals from becoming criminals

×