Sophos Day Belgium - The IT Threat Landscape and what to look out for
-
Upload
sophos-benelux -
Category
Education
-
view
95 -
download
3
Transcript of Sophos Day Belgium - The IT Threat Landscape and what to look out for
Threat Landscape
John Shier Sr. Security Advisor @john_shier
November 2016
Top detections: Benelux
3
Infected archiveJS downloader/trojanConfickerJS downloader/emailActiveX/IE vulnVBS downloaderLNK/AutoIT wormPhishingGenericVBS LNK/JenxcusLNK/BundpilCallhome
What are we facing?
4
Phishing
How not to phish
6
How not to phish
7
http://[IP ADDRESS]/fcid/6a6f686e2e736869657240736f70686f732e636f6d/
Modern phishing
8
Modern phishing
9
Modern phishing
10
Modern phishing
11
Modern phishing
12
Modern phishing
13
HD phishing
14
Locally targeted
15
Malvertising
RTB Ad network Third party
Malvertising threat chain
No site is immune
19
Exploit kits
20
A decade of misery
21
2006 2013 2016
Exploits as a Service
22
Initial Request
Victims
Exploit Kit Customers Redirection
Malicious Payloads
Stats
Landing Page
Exploits
Payloads
Get Current Domain
Get Stats
Update payloads
Management Panel Malware Distribution Servers
Gateway Servers
VPN
Exploit Kit Admin Spammer/Malvertiser Exploit merchant
Ransomware author
EK prominence – October 2016
23
RIG
Nuclear
Chinese EK
Da Gong/Gondad
Angler
Fiesta
Neutrino v2
Other
Mirai
What we know, by the numbers
•550,000 compromised devices
•9 different architectures
•Attacking tcp/23,2323
•80% are DVRs
•24% overlap w ith ‘ gafgyt’
•10% attacked Dyn
•10/1/2016 source code released
25
Mirai infrastructure
26
src: http://blog.level3.com/security/grinch-stole-iot/
scanner.c
27
attack.go, attack.h
28
Use the (brute) force
29
Who’s to blame?
src: https://krebsonsecurity.com/wp-content/uploads/2016/10/iotbadpass-pdf.png
30
31
src: http://www.geekculture.com/joyoftech/joyarchives/1947.html
Document malware
32
Why does document malware work?
33
•Out of the spotlight
•Familiarity and trust
•Email as file transfer protocol
•Patching failure
•Call to action
Curiosity infected the cat
34
Build Your Own
35
How to protect against document malware?
36
•Email filtering
•Sandbox
•Cloud services
•Document viewers
•Share files differently
Data stealing malware
37
Why does data stealing malware work?
38
•Multiple security failures
•Needs a human actor
•Poor network segregation
•Over privileged users
•Poor outbound filtering
•Unknown baseline
How does data stealing malware work?
39
Target(ed) exfiltration
40
How to protect against data stealing malware?
41
•Multiple security failures
•Needs a human actor
•Poor network segregation
•Over privileged users
•Poor outbound filtering
•Unknown baseline
Ransomware
42
Why does ransomware work?
43
•Complex threat chain
•Social Engineering
•No need for persistence
•Uses existing tools
•Geographically targeted, locally customized
•It ’s your data
Locky/Zepto/Odin
44
Locky/Zepto/Odin
45
CryptoWall 4.0
46
Zcrypt
47
Stampado/Philadelphia
48
49
Ransomware Bitcoin
50
•Convenient
•Anonymous
•Laundered
•Openly criminal
6 tips for preventing ransomware
51
1. Back up your files regularly and keep them offline
2. Don’t enable m acros in em ailed docs
3. Tell Windows to show file extensions
4. Don’t open script or shortcut files sent by em ail
5. Don’t give yourself m ore login power than necessary
6. Patch early, patch often
52
Users
53
It ’s n o t a ll b a d n e w s
54
•Social engineering works
•People like to help
•Stop worrying about the Nigerians
•OSINT
•Training isn’t the only answ er
•Create a security culture
•Use your remote sensors