Sophos Senior Security Advisor John Shier gave an insight into the most popular threats on the current IT security market. What works, what doesn't, what do we and our users need to look out for. Not only did he give some great insights but also was able to give some local Benelux numbers on the most popular and widely used threats.

1. Threat Landscape
John Shier
Sr. Security Advisor
@john_shier
November 2016

3. Top detections: Benelux
3
Infected archive
JS downloader/trojan
Conficker
JS downloader/email
ActiveX/IE vuln
VBS downloader
LNK/AutoIT worm
Phishing
Generic
VBS LNK/Jenxcus
LNK/Bundpil
Callhome

4. What are we facing?
4

5. Phishing

6. How not to phish
6

7. How not to phish
7
http://[IP ADDRESS]/fcid/6a6f686e2e736869657240736f70686f732e636f6d/

8. Modern phishing
8

9. Modern phishing
9

10. Modern phishing
10

11. Modern phishing
11

12. Modern phishing
12

13. Modern phishing
13

14. HD phishing
14

15. Locally targeted
15

16. Malvertising

18. RTBAd network Third party
Malvertising threat chain

19. No site is immune
19

20. Exploit kits
20

21. A decade of misery
21
2006 2013 2016

22. Exploits as a Service
22
Initial Request
Victims
Exploit Kit Customers Redirection
Malicious
Payloads
Stats
Landing Page
Exploits
Payloads
Get Current Domain
Get Stats
Update payloads
Management Panel Malware Distribution
Servers
Gateway Servers
VPN
Exploit Kit AdminSpammer/Malvertiser Exploit merchant
Ransomware author

23. EK prominence – October 2016
23
RIG
Nuclear
Chinese EK
Da Gong/Gondad
Angler
Fiesta
Neutrino v2
Other

24. Mirai

25. What we know, by the numbers
•550,000 compromised devices
•9 different architectures
•Attacking tcp/23,2323
•80% are DVRs
•24%overlapw ith‘ gafgyt’
•10% attacked Dyn
•10/1/2016 source code released
25

26. Mirai infrastructure
26
src: http://blog.level3.com/security/grinch-stole-iot/

27. scanner.c
27

28. attack.go, attack.h
28

29. Use the (brute) force
29

30. Who’stoblame?
src: https://krebsonsecurity.com/wp-content/uploads/2016/10/iotbadpass-pdf.png
30

31. 31
src: http://www.geekculture.com/joyoftech/joyarchives/1947.html

32. Document malware
32

33. Why does document malware work?
33
•Out of the spotlight
•Familiarity and trust
•Email as file transfer
protocol
•Patching failure
•Call to action

34. Curiosity infected the cat
34

35. Build Your Own
35

36. How to protect against document malware?
36
•Email filtering
•Sandbox
•Cloud services
•Document viewers
•Share files differently

37. Data stealing malware
37

38. Why does data stealing malware work?
38
•Multiple security failures
•Needs a human actor
•Poor network segregation
•Over privileged users
•Poor outbound filtering
•Unknown baseline

39. How does data stealing malware work?
39

40. Target(ed) exfiltration
40

41. How to protect against data stealing malware?
41
•Multiple security failures
•Needs a human actor
•Poor network segregation
•Over privileged users
•Poor outbound filtering
•Unknown baseline

42. Ransomware
42

43. Why does ransomware work?
43
•Complex threat chain
•Social Engineering
•No need for persistence
•Uses existing tools
•Geographically targeted,
locally customized
•It’syour data

44. Locky/Zepto/Odin
44

45. Locky/Zepto/Odin
45

46. CryptoWall 4.0
46

47. Zcrypt
47

48. Stampado/Philadelphia
48

49. 49

50. Ransomware Bitcoin
50
•Convenient
•Anonymous
•Laundered
•Openly criminal

51. 6 tips for preventing ransomware
51
1. Back up your files regularly and keep them offline
2. Don’tenablem acrosinem aileddocs
3. Tell Windows to show file extensions
4. Don’topenscriptorshortcutfilessentbyem ail
5. Don’tgiveyourselfm oreloginpowerthan
necessary
6. Patch early, patch often

52. 52

53. Users
53

54. It’s n o t a ll b a d n e w s
54
•Social engineering works
•People like to help
•Stop worrying about the
Nigerians
•OSINT
•Trainingisn’ttheonlyansw er
•Create a security culture
•Use your remote sensors