The 2019 Threat Landscape - Amazon Web Services€¦ · AntiVirus Application Control DLP...

Copyright ©2018 WatchGuard Technologies, Inc. All Rights Reserved

The 2019 Threat Landscape

Marc Laliberte, Sr. Security Analyst

WatchGuard Technologies, Inc.


6 Years at WatchGuard Technologies

WatchGuard Threat Lab Manager

A lifetime of traditional ”hacking”

Specialist in network security and IoT

Marc Laliberte

Sr. Security Analyst

WatchGuard

Technologies


Agenda & Take-aways

1. Threat Landscape Statistics

– General attack statistics

2. 2019 Top Cyber Threats

– Five cyber threats to watch out for

3. Defending Against Evolving Threats

3


Threat Landscape by the Numbers


5

Endless Data Breaches


6

2018 Cost of Data Breach Study

Avg. cost per breach

Avg. cost per record

Cost increase

Record cost

increase

$3.86M

$148

6.2%

4.7%

Breach Costs Rise Slightly


7

* Ponemon’s 2018 Cost of a Data Breach Report

Companies Slow to Detect and Contain


Top Cyber Threats


9

5 Threats to Beware of in 2019

Spear Phishing

Ransomworms

Fileless Malware

Crypto Hacking

Password Leaks


10


Phishing – luring a victim into giving up credentials

or doing something via a legitimate seeming email

Spear-phishing – A more customized phishing

email that targets a specific individual or group

Whaling – spear-phishing that targets C-levels

Flavors of Phishing

Old phishing example:

• Not individualized

• Bulk recipients

• Uses real assets

• Malicious document


Phishing – luring a victim into giving up credentials

or doing something via a legitimate seeming email

Spear-phishing – A more customized phishing

email that targets a specific individual or group

Whaling – spear-phishing that targets C-levels

Flavors of Phishing

Spear-phishing example:

• Personalized to me

• Fits my job role

• Understands business

relationships

• Sender makes sense in context

• Malicious attachment fits context


Users Still Click Phishing Emails


13


Ransomware is a form of

malware that encrypts your files

and demands you pay a

ransom.

A Worm is a type malware

that spreads automatically

over your network.

A Ransomworm is extremely

nasty ransomware that spreads to

many computers in your network

What is a RansomWORM?


15

Emerged Friday, May 12th , 2017

Started in Europe

– NHS, UK (40+ locations)

– Telefonica, Spain

– Deutsche Bahn

– Fedex, US

Strong 2048-bit encryption

Leaked NSA exploit (MS17-010)

~400,000 global victims

~$300-600 ransom (bitcoin)

Mostly Windows 7

Estimated $4 billion in loses

Many copycat variants have emerged

WannaCry: Ransomworm Spreads Globally


16

WannaCry Still Spreading as of Mar. 2018


17

New Ransomware Hobbles City


18


19

What is Fileless Malware?

A fileless infection or fileless

malware is a threat that

ONLY loads malicious code in

memory, rather than installing

it on the victim’s hard drive.

Fileless Malware:

Is harder for traditional AV to catch

Tends to inject normal processes on your computer

Often leverages Powershell and scripts

Typically arrives in two ways:

1. Exploits a software vulnerability on your computer

2. Can arrive as a document (a file), that runs a script


20

Fileless Malware Growing

* Ponemon Institute’s “The 2017 State of Endpoint Security Risk Report”

77% of attacks that successfully compromised

organizations in 2017 utilized fileless techniques -

Ponemon Institute

Fileless malware attacks accounted for 52% of all attacks

in 2017 - Carbon Black


21

Word DDE Attacks

Macro-less Word malware abuses

Microsoft’s Dynamic Data Execution

(DDE) features to executed code on a

victim computer.

Example:


22

Word DDE Attacks

Example of code in one Word doc:


22

Word DDE Attacks


Downloads obfuscated code


22

Word DDE Attacks


Downloads obfuscated code DECODED


23


Cryptocurrencies Rocket in Value


Cyber Criminals Target Anything With Value

How cyber criminals user cryptocurrency1. Used for ”anonymous” ransom currency

2. Target online cryptocurrency wallets

3. Find and steal cryptocurrency directly from victim

computers

4. CryptoJacking



How cyber criminals user cryptocurrency1. Used for ”anonymous” ransom currency

2. Target online cryptocurrency wallets

3. Find and steal cryptocurrency directly from victim

computers

4. CryptoJacking

Cryptojacking is hijacking a

victim’s compute resource to mine

cryptocurrency without the victim’s

knowledge.

Hidden script on web sites

Malware payloads


27


Identities Are on the Loose…


WatchGuard ISR: .GOV & .MIL Analysis

• Leaked .gov passwords = 380077

• Leaked .mil passwords = 503878

Do government and military organizations use

password security best practices?


WatchGuard ISR: .GOV & .MIL Analysis

• Leaked .gov passwords = 380077

• Leaked .mil passwords = 503878

Do government and military organizations use

password security best practices?

Combined, only .07% of these addresses used one of

the 50 most common passwords.


30

Breaches Are Leveraging Stolen Credentials

61%

39%

81%

19%2015 2016

Breaches that Leveraged Either Stolen and/or Weak Passwords

Source: Verizon Data Breach Investigations Report


Too scary! Kitten break….

31


32


Prevention: Defense in Depth

33

Advanced threats, by definition, leverage

multiple vectors of attack.

No single defense will protect you

completely from computer attacks…


Prevention: Defense in Depth

33

Advanced threats, by definition, leverage

multiple vectors of attack.

No single defense will protect you

completely from computer attacks…

Firewall

Intrusion Prevention System

AntiVirus

AntiSpam

Reputation Services

APT Protection

The more layers of security you

have, the higher chance an

additional layer catches an

advanced threat other layers miss.


DELIVERYThe attack payload is delivered

through the network perimeter

RECONNAISSANCEThe attacker gathers information on the victim

Cyber Kill

Chain 3.0

COMPROMISE/ EXPLOITVulnerabilities from reconnaissance stage

are exploited to launch an attack

OBJECTIVES/ EXFILTRATIONThe goal of the attack is accomplished

INFECTION/ INSTALLATIONThe attack payload is installed on the

system and persistence is obtained

LATERAL MOVEMENT/

PIVOTINGThe attacker moves behind the network

perimeter to their final target

COMMAND AND CONTROLThe attack payload calls home for instructions


WatchGuard Breaks the KillChainRECONNAISSANCE

COMPROMISE/ EXPLOIT

COMMAND AND CONTROL

OBJECTIVES/ EXFILTRATION

DELIVERY

INFECTION/ INSTALLATION

LATERAL MOVEMENT/

PIVOTING


WatchGuard Breaks the KillChain

Packet

FilteringProxies

IPS APT Blocker Gateway

AntiVirus

Packet

Filtering


AntiVirusDLPApplication Control Reputation

Enabled Defense

Application ControlPacket

FilteringWeb

Blocker


AntiVirus

Reputation Enabled

Defense

RECONNAISSANCE

COMPROMISE/ EXPLOIT

COMMAND AND CONTROL

OBJECTIVES/ EXFILTRATION

DELIVERY

INFECTION/ INSTALLATION

LATERAL MOVEMENT/

PIVOTING

APT Blocker Gateway

AntiVirusTDR

IPSWeb

Blocker

TDR Botnet

Protection

Packet

FilteringDLP Botnet

Protection


36

Contact Me

Email: [email protected]

Twitter: @XORRO_

LinkedIn: /in/marc-laliberte/

Secplicity.org/The443

The 2019 Threat Landscape - Amazon Web Services€¦ · AntiVirus Application Control DLP...

Documents

Transcript of The 2019 Threat Landscape - Amazon Web Services€¦ · AntiVirus Application Control DLP...