Cybercriminelen werken steeds gerichter en focussen zich niet meer alleen op de multinationals van deze wereld. Ook uw onderneming kan het doelwit zijn van dataverlies en -diefstal. IT-security klimt dan ook steeds hoger op de prioriteitenlijst van CEO’s en CIO’s. En terecht. Om bedrijven te informeren over de belangrijkste veiligheidsrisico’s en beschermingsmaatregelen organiseerden Orbid, Proximus, Veeam en WatchGuard een gratis lunch & learn: “Cybercrime en de continuïteit van uw onderneming” op 2 juni in de opnamestudio's van RTV in Westerlo.
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid - 20160602
1. Cryptolocker & het gevecht tegen
IT’s grootste nieuwe vijand
Martijn Nielen
Sr. Sales Engineer WatchGuard
2. Houston, we have a problem!
• « My antivirus and IPS are updated but I got infected anyway »
3. First reason: « Zero Day »
• The vulnerabilty is still unkown
• Or the fix is still not available
4. Second reason: Technology changes, including hackers…
• “Antivirus is Dead” Brian Dye Senior VP of Symantec
5. *Malwise - An Effective and Efficient Classification System for
Packed and Polymorphic Malware, Deakin University, Victoria, June
2013
Nearly 88% of malware morphs to
evade signature-based antivirus
solutions*
Antivirus can’t keep up
6. AV Vendor Review
7
http://labs.lastline.com/lastline-labs-av-isnt-dead-it-just-cant-keep-up
• Average of 2 days for at least one AV scanner to detect what was not
detected on day 0
• Detection rates increase to 61% after two weeks
• After a year 10% of scanners still do not detect some malware
• The 1-perecentile of malware least likely to be detected was undetected by
a majority of AV scanners for Months
• In some cases the malware was never detected
7. Advanced Persistent Threat (APT)
• Nation-State techniques now used for financial gain
• Antivirus can’t keep up. New malware has been created as a variant of
existing malware to avoid detection by classic techniques
8
8. 9
Evolution of APTs
Today, normal criminal malware exploits the
same advanced tactics as nation-state APTs.
Every organization is at risk of advanced
threats!
Zeus copies Stuxnet 0day
Criminals use 0day malware (Cryptolocker)
Zeus uses stolen certificates
Criminal spear phishing
Criminal watering hole attacks
13. AV OS / ApplicationSandBox
Malware And
Virus Detection
Zero Day Threat Curve
14. Sandbox
OS – XP /Win 7
Hypervisor
Server
Process
Emulation
XP /Win 7
Functions
XP /Win 7
Functions
XP /Win 7
Functions
XP /Win 7
Functions
CPU Memory
Server
System
Emulation
OS – XP /Win 7
CPU / Memory
Server
High Fidelity
Low Visibility
Low Fidelity
High Visibility
High Fidelity
High Visibility
Advanced Malware Analysis
1st
2nd 3rd
15. APT Blocker with Code Emulation
• Evasion detection is critical
17
16. Stalling
Looping
Malware?
Exploit
Key logger C&C Network Traffic
Inaction
• Malware Checks the Environment
• Multi-Path execution
• Next step based on results
• Stalling / Looping
• Wait long enough for analysis to time out
Malware Checks the Environment Stalling / Looping
Multi-Path execution Wait long enough for analysis to time out
Next step based on results
Dynamic evasions
22. Did you get Locky ?
http://watchguardsecuritycenter.com
Once I verified that many of our UTM’s security services could detect Locky, I ran through one last
test… I personally tried to download the malicious file “Rechnung-263-0779.xls” from my webmail.
I’ve configured my WatchGuard Firebox with HTTPS Deep Inspection. This feature allows
WatchGuard’s security services, such as GAV and Intrusion Prevention Service (IPS), to run security
scans even on encrypted web traffic, like the webmail I was using to download this ransomware.
Despite the encrypted webmail connection, our Firebox detected and blocked the Locky invoice file
with the GAV service. It was unable to reach my workstation.
As you can see, WatchGuard XTM and Firebox appliances have several features that can help
prevent ransomware like Locky. However, these protections only work if you turn them on and
configure them properly. If you want to keep Locky off your network , I highly recommend you read the
Knowledgebase Article “How to prevent ransomware and other malicious malware with your
Firebox” — Jonas Spieckermann
You need to enable HTTPS DPI on your Firebox!
34
23. An APT solution should
• not be dependent on (AV) signatures
• not depend on traditional sandbox technology
• detect evasions
• take prompt actions in real-time
35
25. True APT’s – even obvious from the Dutch file-names
• Advanced: trigger interest
• Targeted e.g. containing the
name of the organization
• Threats: True APT’s
• Watering holes –
“Eucharistieviering”, Dutch
• Chain-of-Trust: by using
‘religious activities’ and social
engineering based factors
• Non-profit organizations
targeted
38
Traditional Sandboxing Technology
Limited visibility due to reliance on OS system calls and library instrumentation
Susceptible to evasive techniques
Detectable inside sandbox