Ever Changing Threat Landscape Karl Ackerman
Product management September 2018
Evolution of Cyber Crime The Setting London early summer A new startup is offering new un-hackable technology o
Protected by Patents
The DEMO Secure wireless communications
The Actors Guglielmo Marconi – Inventor of the wireless radio Nevil Maskelyne – First Hacktivist and magician.
The Evolution of Endpoint Threats
2009 - INTRODUCTION OF POLYPACK “CRIMEWARE AS A SERVICE”
From Malware to Exploits 1998
1999
2003
Melissa Virus
Love Letter Worm
FinFischer Spyware
$1.2B
$15B
$780M
TRADITIONAL MALWARE
2007
$2.3B
2014
$800M
2015
2016
Exploit as a Service
Locky Ransomware
$500M
$1.1B
ADVANCED THREATS 3
Continued rapid growth in new malware By the end of 2019 over 1 Billion unique malware samples will exist
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
Total Malware collected over time (AV-Test)
900,000,000 800,000,000 700,000,000 600,000,000 500,000,000 400,000,000 300,000,000 200,000,000 100,000,000 0
The age of single-use disposable malware
500,000 Sophos Labs receives and processes 500,000 previously unseen malware samples each day.
75%
75% of the malicious files SophosLabs detects are found only within a single organization.
Why Hack?
77%
5%
15%
3%
Stats – Hackmagedon.com HP - The Business of Hacking: Business Innovation Meets the Business of Hacking
Threat Actors and their objectives
Malware as a Service
Tend to leverage tools
Smash and Grab, Monetary gain
Attack Reputation or damage operations
Most advanced tools Persistent Espionage, War
Does not have to use malware Revenge, Monetary gain
7
Attack Lifecycle The attacker successfully execute malicious code on one or more systems
Initial Compromise
The attacker ensures remote access to a recently compromised system
Establish Foothold
The attacker ensures continued access to the victim environment The attacker gains greater access to systems and data than was initially available
Escalate Privileges
The attacker uses the established foothold to move from system to system
The attacker explores the victims environment
Maintain Persistence
Move laterally
The attacker accomplishes their goal
Complete Mission
Internal Recon • Spear phish • application exploitation • Web exploitation
• Custom Malware • Command and Control
• Password Cracking • Credential Theft • “Pass-the hash” • Application exploit
• Backdoor variant • VPN subversion • Sleeper malware
• Net use command • Reverse shell
• Critical system recon • System, active directory and user enumeration
• Staging services • Data consolidation • Data Theft
Threat vectors, payloads and techniques Infection Vectors Malicious URLs
Phishing Attacks
Removable Unauthorized Media Apps
Other 5%
Common Infection Payloads
45% Weaponized Documents .doc .xls .pdf
Non-.exe Malware
32% Malicious Executables .exe Malware
25% Email
- Leverages authorized application to perform malicious activity - Often uses existing system tools to complete the attack - May use malformed content to exploit the legitimate application
- Frequently packed and obfuscated to avoid traditional signature scans - May be hidden inside legitimate software - Often deployed by other malware to establish persistence
15% Malicious Scripts and HTML 70% Browsing
Script-based Malware
- Typically Java Script run in the browser - Includes MSHTA, PowerShell, Cmd scripts ect - Often used to deliver malicious exe or establish connection to C2
Exploit Activity
Exploits (90% of breaches involved an exploit) Exploits
- Leverages a known or unknown vulnerability to execute code - Often uses multiple exploit techniques to achieve objective - May never deploy a file to the device and can stay in runtime memory
9
Emerging Threats Behaviors Live off the Land Authorized applications and system tools Leverage phished credentials Never deploy malware
Exploit Driven
Crypto Jacking
Zero Day vulnerabilities continue to go undiscovered
Growth in Bitcoin value had commiserate growth in malicious coin mining activity
Vulnerability lifetime is 6.9 YEARS Just 22 days to develop an exploit Cost 30-100K for true zero day vulnerability
https://www.rand.org/pubs/research_reports/RR1751.html
Ransomware Not going away Most consumers and businesses remain vulnerable
10
More about Exploits
∞
Traditional Anti-Virus
500,000 new malware per day1
o o o
>70% of companies breached2
More questions than answers
>90% of data breaches use exploits2
>30% increase from 20153
Available Exploit Methods
>6800 vulnerabilities per year3 10’s
SIEM, EDR, UEBA o o o
Nearly 200 days from vulnerability to patch4
Very few new exploit methods per year
2 – NSS Labs 4 – White Hat Security
Anti-Exploit – Targets the root of the problem
Anomaly Detection Security Operations Center Forensic breach assessment teams
Patch Management o o o
Vulnerability Scanning Device Management Patch testing and deployment
Anti-Exploit o o o
1 – Virus Total 3 – Gartner
File Analytics Heuristics URL Blocking
Exploit and Ransomware prevention Incident Response Report Automatic Root Cause Attribution
JavaScript Miner Example: Coin Hive
12
New technology trends Anti-Exploit
Machine Learning PROS
Very effective at detecting malicious executables Detects never before seen malware
CONS
Almost exclusively for executables Not all attacks have files to analyze
PROS
Able to detect attacks that leverage unknown vulnerabilities Only about two dozen exploit methods and few new ones each year
CONS
Malware executables scripts and other attacks don’t have to use exploits
Endpoint Detection & Remediation PROS
Can detect variance from expected behavior Investigation tools can be very powerful
CONS
After the fact detection Most have a very high cost to acquire and operate Success depends on the skill of the operator High False Positive rate
13