EverSec + Cyphort: Big Trends in Cybersecurity
Transcript of EverSec + Cyphort: Big Trends in Cybersecurity
![Page 1: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/1.jpg)
Ransomware, RATs & other Big Trends in Cybersecurity
Nick Bilogorskiy@belogor
Stephen HarrisonEverSec Group
![Page 2: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/2.jpg)
Agenda
o Eversec introo How Ransomware workso Malvertisingo RATS: Remote Access Trojans o Wrap-up and Q&A
![Page 3: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/3.jpg)
3
Customers look to EverSec for…o Security Design, Analysis, & Implementation Assistanceo Security Assessmentso Cyber Penetration Testingo Remediation Serviceso Integration Skillso Managed Serviceso Dark Net Recono Customized Hacking/Incident Response Training
![Page 4: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/4.jpg)
4
$1+CYBERCRIME NOW
trillion industry
100+ nations
CYBER WARFARE
WHAT’S CHANGED?
✚ Over 95% of breaches occur behind perimeter firewalls.
✚ 71% of security breaches involve user devices.✚ 51% of breaches involve corporate servers.
![Page 5: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/5.jpg)
5
EverSec’s Charter – 100% Network, Data, & EP Security…o Advanced Breach Detection {ABD}o End Point Detection & Response {EDR}o Advanced Data Loss Prevention {ADLP}o Mobile & BYOD Securityo Threat Intelligence Operationalizationo Incident Response Orchestrationo Cloud Infrastructure Security
![Page 6: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/6.jpg)
6
Vetting The Security Landscape, so our Clients Don’t Have To…
“EverSec Group has pulled away from the pack of me-too security solution providers … willing to wager on security startups that are turning network
security and endpoint security into outdated concepts.”- CRN.com, February 26, 2015
![Page 7: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/7.jpg)
Trusted Security Advisor
7
![Page 8: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/8.jpg)
8
Gartner Group Has Found That…
40% of enterprises will have formal plans to address cyber security business disruption by 2018
60% of enterprise information security budgets will be allocated to rapid detection and response approaches (up from less than 10% in 2014) by 2020
![Page 9: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/9.jpg)
![Page 10: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/10.jpg)
What is Ransomware
Ransomware is any malware that demands the user pay a ransom.
There are two types of ransomware: lockers and crypters.
![Page 11: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/11.jpg)
Kovter Lockers
![Page 12: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/12.jpg)
o More IOT (Internet Of Things) security incidents
Prediction #4 Crypters
![Page 13: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/13.jpg)
TOR Primer
![Page 14: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/14.jpg)
• easy to use, • fast, • publicly available, • decentralized, and • Provides anonymity, which
serves to encourage extortion.
Bitcoin Primer
![Page 15: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/15.jpg)
How often do you backup?
Computer Backup Frequency 2008-2015 (BackBlaze data)
Frequency 2008 2009 2010 2011 2012 2013 2014 2015Daily 6% 6% 8% 6% 10% 10% 9% 8%Other 56% 57% 58% 60% 10% 59% 63% 67%Never 38% 37% 34% 34% 31% 29% 28% 25%
![Page 16: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/16.jpg)
The Ransomware Business Model
o 90% of people do not backup dailyo Data Theft in placeo Anonymity (TOR, Bitcoin)o Operating with impunity in Eastern Europeo Extortiono Focus on ease of use to drive conversion
o Currently 50% pay the ransom, it was 41% 2 years ago
![Page 17: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/17.jpg)
z
Bitcoin Ransom Sent C&C
Server
Private Key Sent
Locked Files
Unlocked Files
The Ransomware Business Model
![Page 18: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/18.jpg)
HOSPITALSHollywood Presbyterian Medical Center , Kentucky Methodist Hospital, Alvarado Hospital Medical Center and King's Daughters' Health, Kentucky Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital, Baltimore’s Union Memorial Hospital, and many others
POLICETewksbury Police Department Swansea Police DepartmentChicago suburb of Midlothian Dickson County, TennesseeDurham, N.H Plainfield, N.JCollinsville, Alabama,hackers in Detroit demanded $800,000 in bitcoin after they had encrypted the city's database.
Known Victims… So far
SCHOOLS GOVERNMENT321 incident reports of "ransomware-related activity" affecting 29 different federal networks since June 2015, according to the Department of Homeland Security.
South Carolina school district paid $10,000 . A New Jersey school district was hit, holding up the computerized PARCC exams.Follett Learning's Destiny library management software, which is used in US schools is vulnerable to SamSam ransomware.
![Page 19: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/19.jpg)
Apr 30, 2016: In the past 48 hours, the House Information Security Office has seen an increase of attacks on the House Network […] focused on putting “ransomware” on users’ computers.[…] .As part of that effort, we will be blocking access to YahooMail on the House Network until further notice.
![Page 20: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/20.jpg)
Recorded Future
Stats
500% growth last year
![Page 21: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/21.jpg)
Ransomware: The Price You Pay
2014 - $24 M. | 2015 - $24 M. | 2016 - $209 M in Q1
![Page 22: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/22.jpg)
o network mitigationo network countermeasureso loss of productivityo legal feeso IT serviceso purchase of credit monitoring services for
employees or customerso Potential harm to an organization’s reputation.
Ransomware: Additional Costs
![Page 23: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/23.jpg)
2016 Ransomware tricks
1. Targeting businesses (e.g. hospitals) rather than individuals.
2. Deleting files at regular intervals to increase the urgency to pay ransom faster – Jigsaw
3. Encrypting entire drives - Petya4. Encrypting web servers data -
RansomWeb, Kimcilware
![Page 24: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/24.jpg)
2016 Ransomware tricks
5. Encrypting data on network drives - even on those ones that are not mapped - DMA Locker, Locky, Cerber and CryptoFortress
6. regular intervals to increase the urgency to pay ransom faster – Jigsaw
7. Deleting or overwriting cloud backups.8. Encrypt each file with its own unique key - Rokku
![Page 25: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/25.jpg)
2016 Ransomware tricks
9. Targeting non-Windows platforms – SimpleLocker, DogSpectus, KeRanger
10. Using the computer speaker to speak audio messages to the victim - Cerber
11. Ransomware as a service – Tox12. Using counter-detection malware armoring, anti-
VM and anti-analysis functions - CryptXXX
![Page 26: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/26.jpg)
How do Users get Ransomware?
Osterman research
![Page 27: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/27.jpg)
Tips to Avoid Ransomware Infection
o Install the latest patches for your software, especially Adobe, Microsoft and Oracle apps
o Use network protectiono Use a comprehensive endpoint security
solution with behavioral detectiono Turn Windows User Access Control ono Block Macros
![Page 28: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/28.jpg)
Tips to Avoid Ransomware Infection
o Be skeptical: Don’t click on anything suspicious
o Block popups and use an ad-blockero Override your browser’s user-agent*o Consider Microsoft Office viewerso Disable Windows Script Host
![Page 29: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/29.jpg)
Tips to Avoid Losing Data to Ransomware
o Identify Ransomware and look for a decryptor:
o Shadow Copieso Turn off computer at first signs of infection
o Remember: the only effective ransomware defense is backup
https://id-ransomware.malwarehunterteam.com/
![Page 30: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/30.jpg)
Tips to Avoid Losing Data to Ransomware
o List of free decryptors: http://bit.ly/decryptors
![Page 31: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/31.jpg)
Malvertising
![Page 32: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/32.jpg)
Malvertising is the use of online advertising to spread malware.
Malvertising involves injecting malicious ads into legitimate online advertising networks and web pages.
Anti-Malvertising.com
What is Malvertising
![Page 33: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/33.jpg)
How Malvertising works
df
UserVisits a popular
website, gets infected via exploit kit
WebsiteServes a banner ad,
sometimes malicious
AttackerCreates and injects malware ads into advertising network
Advertising NetworkSelects an ad based on auction, sends to the website
![Page 34: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/34.jpg)
Rise of Malvertising
2014 2015 20160
500
1000
1500
2000
2500
Malvertising domains
![Page 35: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/35.jpg)
Techniques to avoid detection
o Enable malicious payload after a delay
o Only serve exploits to every 10th user
o Verifying user agents and IP addresses
o HTTPS redirectors
![Page 36: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/36.jpg)
Who is to blame for Malvertising?
Popular websites Ad exchanges Ad networks Users Browsers
![Page 37: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/37.jpg)
Malvertising
o Advertising networks get millions of submissions, and it is difficult to filter out every single malicious one.
o Attackers will use a variety of techniques to hide from detection by analysts and scanners
o Advertising networks should use continuous monitoring – automated systems for repeated checking for malware ads, need to scan early and scan often, picking up changes in the advertising chains.
![Page 38: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/38.jpg)
RATsRemote Access Trojans
![Page 39: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/39.jpg)
o First seen: Nov 2014, new versions throught 2015
o Target: North American and European Banks
o Distribution: Spam mails with Word Documents
o Some version use p2p over http for carrying out botnet communication
o Uses web injects to carry out man-in-browser attack
o Uses VNCo It is both a RAT tool and a banking Trojan
Dridex malware
![Page 40: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/40.jpg)
Endpoints
Web
Deception
NetworkBehavior Email
Need complete & correlated Visibility
![Page 41: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/41.jpg)
Summary1. Ransomware evolved into a major threat allowing criminals
to easily monetize malware infections via Bitcoin
2. Every platform is vulnerable to ransomware.
3. Backup your files! Since decrypting encrypted files is not always possible frequent backups become even more critical. And keep your backup offline.
4. Malvertising is on pace to have a record year.
5. Must use defense-in-depth techniques powered by machine learning to defeat malware at every stage of the kill chain.
![Page 42: EverSec + Cyphort: Big Trends in Cybersecurity](https://reader035.fdocuments.in/reader035/viewer/2022070519/58ecb5c91a28ab83558b46ed/html5/thumbnails/42.jpg)
Thank You!