Threat Landscape
John Shier Sr. Security Advisor @john_shier
November 2016
Phishing
How not to phish
3
How not to phish
4
http://[IP ADDRESS]/fcid/6a6f686e2e736869657240736f70686f732e636f6d/
Modern phishing
5
Modern phishing
6
HD phishing
7
Locally targeted
8
Malvertising
10
RTB Ad network Third party
Malvertising threat chain
No site is immune
12
Exploit kits
13
A decade of misery
14
2006 2013 2016
Exploits as a Service
15
Initial Request
Victims
Exploit Kit Customers Redirection
Malicious Payloads
Stats
Landing Page
Exploits
Payloads
Get Current Domain
Get Stats
Update payloads
Management Panel Malware Distribution Servers
Gateway Servers
VPN
Exploit Kit Admin Spammer/Malvertiser Exploit merchant
Ransomware author
EK prominence – October 2016
16
RIG
Nuclear
Chinese EK
Da Gong/Gondad
Angler
Fiesta
Neutrino v2
Other
Document malware
17
Why does document malware work?
18
•Out of the spotlight
•Familiarity and trust
•Email as file transfer protocol
•Patching failure
•Call to action
Curiosity infected the cat
19
Build Your Own
20
How to protect against document malware?
21
•Email filtering
•Sandbox
•Cloud services
•Document viewers
•Share files differently
Data stealing malware
22
Why does data stealing malware work?
23
•Multiple security failures
•Needs a human actor
•Poor network segregation
•Over privileged users
•Poor outbound filtering
•Unknown baseline
How does data stealing malware work?
24
Target(ed) exfiltration
25
How to protect against data stealing malware?
26
•Multiple security failures
•Needs a human actor
•Poor network segregation
•Over privileged users
•Poor outbound filtering
•Unknown baseline
Ransomware
27
Why does ransomware work?
28
•Complex threat chain
•Social Engineering
•No need for persistence
•Uses existing tools
•Geographically targeted, locally customized
•It ’s your data
Locky/Zepto/Odin
29
CryptoWall 4.0
30
Zcrypt
31
Stampado/Philadelphia
32
6 tips for preventing ransomware
33
1. Back up your files regularly and keep them offline
2. Don’t enable m acros in em ailed docs
3. Tell Windows to show file extensions
4. Don’t open script or shortcut files sent by em ail
5. Don’t give yourself m ore login power than necessary
6. Patch early, patch often
34
Users
35
It ’s n o t a ll b a d n e w s
36
•Social engineering works •People like to help •Stop worrying about the
Nigerians •OSINT •Training isn’t alw ays the
answer •Create a security culture •Use your remote sensors
Top Related