2019 Trends and Predictions - AIM Utah Trends...• Leaked .govpasswords = 380077 • Leaked .mil...

1/15/2019

1

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved

2019 Security Trends & Predictions

Defending Against Future Cyber Attacks

Corey Nachreiner, CISSP, CTO


Agenda

Threat Landscape Statistics

– General attack statistics

– WatchGuard’s Internet Security Report

2018 Top Cyber Threats

– Five cyber threats to watch out for

2019 Predictions

Defense Summary

2

1/15/2019

2


Threat Landscape by the Numbers

3


Endless Data Breaches (2018 H1)

4

1/15/2019

3


Breach Costs Rise Slightly

5

2018 Cost of Data Breach Study

Avg. cost per breach

Avg. cost per breach

Avg. cost per record

Avg. cost per record

Cost increase

Cost increase

Record cost

increase

Record cost

increase

$3.86M

$148

6.2%

4.7%


Companies Slow to Detect and Contain

6

* Ponemon’s 2018 Cost of a Data Breach Report

1/15/2019

4


WatchGuard’s Quarterly Internet Security Reports


Q2 2018 Malware Trends

1/15/2019

5


1. Dynamic date ranges

2. Filter by region or country

3. Filter by malware / network attacks

4. More features coming…• Map with attack source• Filter by City• Top Malware domains/URLs• Etc…

https://www.secplicity.org/threat-landscape/

New Dynamic ISR Threat Landscape Page


Top Cyber Threats

10

1/15/2019

6


Spear Phishing

Ransomworms

Fileless Malware

Crypto Hacking

Password Leaks

5 Threats to Beware of in 2018


12

1/15/2019

7


Phishing – luring a victim into giving up credentials or doing something via a legitimate seeming email

Spear-phishing – A more customized phishing email that targets a specific individual or group

Whaling – spear-phishing that targets C-levels

Flavors of Phishing

Old phishing example:• Not individualized• Bulk recipients• Uses real assets• Malicious document

Spear-phishing example:• Personalized to me• Fits my job role• Understands business

relationships• Sender makes sense in

context• Malicious attachment fits

context


Users Still Click Phishing Emails

1/15/2019

8


Focus on phishing TrainingDNSWatch Filtering

Prevention: DNS Blocking & Awareness Training


16

1/15/2019

9


What is a RansomWORM?

17

Ransomware is a form of malware that encrypts your files and demands you pay a ransom.

A Worm is a type malware that spreads automatically over your network.

A Ransomworm is extremely nasty ransomware that spreads to many computers in your network


Emerged Friday, May 12th , 2017

Started in Europe

– NHS, UK (40+ locations)

– Telefonica, Spain

– Deutsche Bahn

– Fedex, US

Strong 2048-bit encryption

Leaked NSA exploit (MS17-010)

~400,000 global victims

~$300-600 ransom (bitcoin)

Mostly Windows 7

Estimated $4 billion in loses

Many copycat variants have emerged

WannaCry: Ransomworm Spreads Globally

1/15/2019

10


WannaCry Still Spreading as of Mar. 2018


New Ransomware Hobbles City

1/15/2019

11


Virtualizes a full victim system

Runs unknown content in protected environment

Analyzes behaviors

Detects sandbox evasion

Tracks additional malware and C&Cs

OS Virtualization

Prevention: Advanced Malware Detection


22

1/15/2019

12


A fileless infection or filelessmalware is a threat that ONLY

loads malicious code in memory, rather than installing it on the victim’s hard drive.

Fileless Malware:

Is harder for traditional AV to catch

Tends to inject normal processes on your computer

Often leverages Powershell and scripts

Typically arrives in two ways:

1. Exploits a software vulnerability on your computer

2. Can arrive as a document (a file), that runs a script

What is Fileless Malware?

Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved* Ponemon Institute’s “The 2017 State of Endpoint Security Risk Report”

77% of attacks that successfully compromised organizations in 2017 utilized fileless techniques - Ponemon Institute

Fileless malware attacks accounted for 52% of all attacks in 2017 - Carbon Black

Fileless Malware Growing

1/15/2019

13


Word DDE Attacks (ISR Example)

Macro-less Word malware abuses

Microsoft’s Dynamic Data Execution

(DDE) features to executed code on a victim computer.

Example:


Example of code in one Word doc:

Downloads obfuscated code DECODED

DDE Attacks Increase Q4 2017

1/15/2019

14


Prevention: Detection & Response

• ThreatSync TI identifies known malicious processes

• Dynamic process heuristics finds suspicious processes

• HRP behavior detection could help too


28

1/15/2019

15


Cryptocurrencies Rocket in Value

29


Cyber Criminals Target Anything with Value

How cyber criminals user cryptocurrency1. Used for ”anonymous” ransom currency

2. Target online cryptocurrency wallets

3. Find and steal cryptocurrency directly from victim computers

4. CryptoJacking

Cryptojacking is hijacking a victim’s compute resource to mine cryptocurrency without the victim’s knowledge.

Hidden script on web sites Malware payloads

1/15/2019

16


Protection: Intelligent AV

By monitoring tens of millions of benign and malicious files

using machine learning and artificial intelligence,

WatchGuard and predictively identify zero day malware!


32

1/15/2019

17


Identities Are on the Loose…


WatchGuard ISR: .GOV & .MIL Analysis

34

• Leaked .gov passwords = 380077 • Leaked .mil passwords = 503878

Do government and military organizations use password security best practices?

Combined, only .07% of these addresses used one of the 50 most common passwords.

Most, however, didn’t use sufficiently long passwords

1/15/2019

18


61%

39%

81%

19%2015 2016

Breaches that Leveraged Either Stolen and/or Weak Passwords

Source: Verizon Data Breach Investigations Report

SMBs Really Need MFA


Employee PC and network login

Remote access

Privileged users access

Access to cloud services (SaaS)

Easy multi-factor authentication (MFA) for:

Prevention: MFA Secures Authentication

1/15/2019

19


2019 Security Predictions

37


2019 Security Predictions Intro

38

1/15/2019

20


Prediction #1: AI-Driven Chatbots Go Rogue


Prediction #2: Ransomware Targets ICS

1/15/2019

21


Prediction #3: UN Cyber Security Treaty


Prediction #4: “Fire Sale” from Fiction to Reality

Finance Communications Utilities & ICS

Die Hard 4 depicted a “fire sale” which is a

three-stage coordinated attack on a country's transportation, telecommunications, financial, and utilities infrastructure systems.

1/15/2019

22


Prediction #5: Vaporworms Proliferate (Fileless Worms)


Prediction #6: Wi-Fi Hacks Still Affect WPA3

1/15/2019

23


Prediction #7: 1FA Biometrics Get Hacked


Defense Summary

46

1/15/2019

24


DELIVERYThe attack payload is delivered through the network perimeter

RECONNAISSANCEThe attacker gathers information on the victim

47

Cyber Kill Chain 3.0

COMPROMISE/ EXPLOITVulnerabilities from reconnaissance stage are exploited to launch an attack

OBJECTIVES/ EXFILTRATIONThe goal of the attack is accomplished

INFECTION/ INSTALLATIONThe attack payload is installed on the

system and persistence is obtained

LATERAL MOVEMENT/ PIVOTINGThe attacker moves behind the network

perimeter to their final target

COMMAND AND CONTROLThe attack payload calls home for instructions


WatchGuard Breaks the KillChain

Packet Filtering

Proxies

IPS APT Blocker

Gateway AntiVirus

Packet Filtering

IPS APT Blocker

Gateway AntiVirus

DLPApplication Control

Reputation Enabled Defense

Application Control

Packet Filtering

Web Blocker

IPS APT Blocker

Gateway AntiVirus

Reputation Enabled Defense

RECONNAISSANCE

COMPROMISE/ EXPLOIT

COMMAND AND CONTROL

OBJECTIVES/ EXFILTRATION

DELIVERY

INFECTION/ INSTALLATION

LATERAL MOVEMENT/PIVOTING

APT Blocker

Gateway AntiVirus

TDR

IPSWebBlocker

TDR Botnet Protection

Packet Filtering

DLP Botnet Protection

1/15/2019

25


Summary of Defenses

UTM Layered Defense

• No single security service prevents all threats. UTM combines many services to offer Kill Chain defenses.

APT Blocker

• Ransomware is evasive and fast changing. You need behavioral malware detection to catch the latest variants.

Threat Detection and Response

• As a last defense, TDR’s Host Ransomware Prevention can stop some ransomware from encrypting files on an end point.

AuthPoint MFA• No single factor of authentication is perfect. Passwords can

leak, tokens can be stolen, and biometrics can be copied.


Thank You

2019 Trends and Predictions - AIM Utah Trends...• Leaked .govpasswords = 380077 • Leaked .mil...

Documents

Transcript of 2019 Trends and Predictions - AIM Utah Trends...• Leaked .govpasswords = 380077 • Leaked .mil...