Nell’iperspazio con Rocket: il Framework Web di Rust!
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016.
1. 1
Lars Putteneers
7 June 2015
SOPHOS
Stopping Tomorrow’s
Attacks Today: a next-gen
approach for advanced
threats
2. 2
Sophos Snapshot
1985
FOUNDED
OXFORD, UK
$450M
IN FY15 BILLING
(APPX.)
2,200
EMPLOYEES
(APPX.)
200,000+
CUSTOMERS
100M+
USERS
HQ
OXFORD, UK
90+%
BEST IN CLASS
RENEWAL RATES
15,000+
CHANNEL
PARTNERS
OEM PARTNERS:
KEY DEV
CENTERS
OFFICES
3. 3
AT HOME AND ON THE MOVE
Mobile Control Endpoint Security
SafeGuard Encryption
HEADQUARTERS
Endpoint Security
SafeGuard Encryption
REMOTE OFFICE 1
NextGen Firewall
Secure Wi-Fi
Endpoint Security
SafeGuard Encryption
Secure Wi-Fi
Secure VPN
Client
Mobile Control
Reputation Data • Active Protection SophosLabs Correlated intelligence • Content Classification
Administration
Web Application Firewall
Secure Email
Gateway
Secure Web
Gateway
Mobile Control
Network Storage Antivirus
Server Security
Guest Wi-Fi
UTM
NextGen Firewall
Secure Web Gateway
Secure Email Gateway
Web Application Firewall
REMOTE OFFICE 2
Secure Wi-Fi
Endpoint Security
SafeGuard Encryption
Mobile Control
Secure VPN RED
Sophos Complete Security in an Enterprise
SOPHOS CLOUD
5. 5
Anatomy of a ransomware attack
And gone
The ransomware will then delete itself leaving just the encrypted files and ransom notes behind.
Ransom demand
A message appears on the user’s desktop, explaining how a ransom (often in the form of bitcoins) can be paid within a time frame of
e.g. 72 hours to enable decryption of the data with the private key that only the attacker’s system has access to.
Encryption of assets
Certain files are then encrypted on the local computer and on all accessible network drives with this public key. Automatic backups of
the Windows OS (shadow copies) are often deleted to prevent data recovery.
Contact with the command & control server of the attacker
The ransomware sends information about the infected computer to the C&C server and downloads an individual public key for this
computer.
Installation via an exploit kit or spam with an infected attachment
Once installed the ransomware modifies the registry keys
6. 6
Angler: an all-too-well-known exploit kit
• Grown in notoriety since mid
2014
○ The payload is stored in memory
and the disk file is deleted
○ Detects security products and
virtual machines
○ Ability to spread many
infections: banking Trojans,
backdoor, rootkits, ransomware
• Easy to use
○ Doesn’t require any particular
technical competence
○ Available for a few thousand
USD on the Dark Web
8. 8
• 350,000 new
malware programs
per day
• 70% of
organisations
reported a
compromise in the
last 12 months
• $500 billion WW
damages
• Estimated to rise to
$1.5 trillion by
2019
Another one bites the dust
16. 16
Ransomware
Cryptowall costs users $325M
in 2015
○ 2 out of 3 infections driven by
phishing attack
○ Delivered by drive by exploit kits
○ 100’s of thousands of victims
world wide
More variants – Locky and
Samas
○ Now for MAC and Windows users
Targeting bigger Phish
○ $17K payment from California
hospital
CryptoGuard
• Simple and Comprehensive
• Universally prevents
spontaneous encryption of
data
• Simple activation in Sophos
Central
CRYPTOGU
ARD
CryptoGuard – Say Goodbye to Ransomware
17. 17
CryptoGuard
• 1. monitors file system activity
• 2. when file is opened-for-write, create just-in-time backup of
the file
• 3. when the file is closed, compare contents
• 4. when file is no longer a document, mark as suspicious
• 5. if this happens on many files (3 or more), rollback files from
above backup, revoke write-access from process (or client IP)
that did the changes
• 6. all modifications are tracked per process or per client-IP; so
if a remote client modifies files, they are tracked, rolled back
and blocked if needed
26. 26
Sophos Sandstorm
How Sophos Sandstorm works
1. If the file has known malware
it’s blocked immediately. If
it’s otherwise suspicious, and
hasn’t been seen before, it
will be sent to the sandbox
for further analysis. When
web browsing, users see a
patience message while they
wait.
2. The file is detonated in the
safe confines of the sandbox
and monitored for malicious
behaviour. A decision to
allow or block the file will be
sent to the security solution
once the analysis is
complete.
3. A detailed report is provided
for each file analyzed.
Advanced Threat Defense Made Simple
Secure Web
Gateway
Secure Email
Gateway
Unified Threat
Management
Next-Gen
Firewall
28. 28
TRADITIONALMALWARE
Methods and techniques
vary depending on
device type and
operating system
(Windows, Mac, Linux/Unix
variants, Android, iOS)
And Sophos Labs
never stops
innovating and
assessing new
techniques
ADVANCEDTHREATS
I just want to be your everything
Exposure prevention
80% malicious URL blocking, malicious web script
detection
download reputation
Pre-execution analytics and heuristics
10% Generic matching using heuristics and
component level rules
Signatures
5% Signature match of malware
or malware components (1-1)
Run-time behavior
analytics
3% Behavior matching
and runtime analytics
Exploit
detection
2%
29. 29
More information
• Sophos whitepaper on how to stay protected from ransomware
https://www.sophos.com/en-
us/medialibrary/Gated%20Assets/white%20papers/sophosransomwareprot
ectionwpna.pdf?la=en
• Sophos technical whitepaper on ransomware
https://www.sophos.com/en-
us/medialibrary/PDFs/technical%20papers/sophos-current-state-of-
ransomware.pdf?la=en
• Naked Security – regular stories on Locky and other ransomware attacks
https://nakedsecurity.sophos.com/
• IT Security DOs and DON'Ts
https://www.sophos.com/en-
us/medialibrary/PDFs/employeetraining/sophosdosanddontshandbook.pdf?
la=en
• Threatsaurus
https://www.sophos.com/en-
us/medialibrary/PDFs/other/sophosthreatsaurusaz.pdf?la=en
When we look at Ransom ware attacks, we see the following pattern.
Step 1 the Ransomware needs to be installed on the target computer. Usualy this is done through and Expoit kit or through a Spam campain.
Once installed it’s going to change some registry key on the target.
Step 2 When the Ransomware is active on the target, It’s going to connect to a command and control server and sends information about the infected computer and downloads a publickey for this computer.
Step 3 Now the Ransomware has the public key is going to Encrypt files on the local computer including the networks drives that are accessible from this computer.
Often the shadow copies on the Windows machine are deleted to prevent you to recover the encrypted files.
Step 4 When the Ransomware has finished messing with your files it will show the ransom note, with the instructions how to pay the Ransom, often this is in Bitoins.
Step 5 After the Ransom note is shown the Ransomware will delete itself and leaves you with the ransom note and the encrypted files.
One of the Well known exploit kits is Angles
It is used to spead many infections.
Payload is stored in memory and the local file is deleted.
It is easy to use and you can buy it on the darkweb for few thousand Dollars.
In the picture you see the revenue
Angler is gained marketshare over the last few year.
Is we look at 2014 it had around 23%
Half a year later in januari of 2015 is was arount 39%
A couple of month after that it increased to over 82 %
Just last Sunday
According to Fox-IT Security Operations Center, at least 288 websites were affected,
and it is believed that a compromised ad network was responsible for so many sites being affected simultaneously.
A lot of the popular news site in The Netherlands were hit…
nu.nl
marktplaats.nl
sbs6.nl
rtlnieuws.nl
rtlz.nl
startpagina.nl
buienradar.nl
Angler was used in this case
It’s not just humans under attack from outside compromises, look at what is going on with our data
If our DNA was identical , one virus could wipe us all out.
We’d also look identical - like Donald Trump maybe
Humans share over 50% of DNAs with bananas
Diversity of our DNA keeps our race going. It prevents our extinction from disease – there are always survivors.
More ammo for you to fight malware and clean up after it.
Sophos Clean – On demand detect and clean up tool for Windows OS
Find and remove known and early life/zero-hour malware
11Mb, no installation needed, run from anywhere
No known conflicts with existing end point security software - we’ll have a tested list of 3rd party at release. And, yes, we did test against our own endpoint products. List is later on
CryptoGuard is the anti-ransomware component and it works independently to provide another layer of defense against your data being held hostage by the Locky/Cryptowall type of malware. It’s a driver in the file filter stack that monitors the behaviors of the applications and processes that access your documents.
If it detects that an application is encrypting a number of files it will automatically isolate that process from the file system such that it cannot do any more damage AND it will roll-back any files that have been impacted to their prior state.
CryptoGuard is the anti-ransomware component
and it works independently to provide another layer
of defense against your data being held hostage
by the Locky/Cryptowall type of malware.
It’s a driver in the file filter stack that monitors the behaviors of the applications and processes that access your documents.
If it detects that an application is encrypting a number of files it will automatically isolate that process from the file system such that it cannot do any more damage AND it will roll-back any files that have been impacted to their prior state.
Lightweight and effective CryptoGuard provides another layer of defense for your endpoints and data.
It:
a. Stops local ransomware from attacking local data
b. Stops local ransomware from attacking remote data (incl. mapped or unmapped shares)
c. Stops remote ransomware from attacking local data
Since most ransomware inject/run from legitimate trusted processes, or even consist of or only use trusted binaries, CryptoGuard is not shy revoking write-access from legitimate/trusted processes (or client IP).
Another Feature you can use is Sophos Sandstrom.
Sophos Sandstorm is cloudbased sandboxing.
We can the feature with our Web and Email Appliance and with the Sophos UTM v9.4
How does it work?
If we have suspicious file, we create a hash and check that hash with our sandstorm.
If we have seen the file before we know if the file is good of bad.
Is it a bad file it’s block immediately if it’s the, the user is receiving the file.
If it’s a new file the file is send to the sandbox and is detonated. Then the behaviour is monitored. And the decision Allow or block is send back.
There is also a detailed report for each file that is analyzed.
Today Sophos already provides a diverse range of techniques to reduce the chance of your endpoints being compromised.
Unlike cake, the more you have of this, the better you will be.
The next slide shows why