The webinar is available on demand on our YouTube Channel.
THE THREAT LANDSCAPE
A great deal has changed in the last 10-15 years. As recently as the late 80’s into the 90s, cybersecurity was far less of a business challenge.
Cybersecurity organisations such as Sophos would send out virus definitions and ID files once a month, first on floppy disc then on CD. That became weekly, then daily.
Today, data from SophosLabs - a global operation analysing malicious code around the clock - indicates we’re now seeing over 400,000 unique samples of malware daily.
Targeted attacks are on the rise, with 75% of malware never being seen again, and we'll explore in greater detail this trend to disposable malware and how cyber criminals have shifted up a gear, recyling malicious code to sidestep more traditional endpoint security platforms.
The more traditional viruses generally account for only about 5% of the bad stuff seen. That’s the recycled, reused malware that doesn’t really change from one day to the next. So, if you are relying on endpoint security that just uses signatures to identify malware, you’re only protecting yourself against 5% of the bad code in circulation.
According to figures from the beginning of 2018, crytojacking accounted for 3% of threats, and these figures are set to grow. (For more information, download the SophosLabs Threat Report 2019)
Cryptojacking goes one step further than using a computer as part of a zombie or bot attack. Cryptojacking leverages spare resources on affected computers and servers to cryptomine currencies, creating money for Bitcoin wallets.
Hacking tools are utilised to achieve:
- privilege escalation – escalating a logged on user’s account to admin status
- theft of credentials from memory and from registry
- lateral movement, moving from android or iOs systems onto Windows or Linux systems
These can be very well rehearsed and highly targeted attacks, where a cybercriminal has spent a great deal of time getting to know and understand an organisation, before weaponising an attack.
This is a comprehensive category which includes zero day attacks, worms and making used of software vulnerabilities.
Software vulnerabilities are still a major attack vector for cyber criminals – we’re all aware of, but don’t enjoy, the process of patching systems, and cyber criminals make really good use of this vulnerability.
A cybercriminal will spend time getting to know what software an organisation uses, so they can craft an attack targetted to that organisation.
Scale of Threat
Most people are now aware of the risks that ransomware poses to an organisation.
Results from 2018’s The State of Endpoint Security Today indicated that 54% of organisations surveyed were hit by ransomware in 2017.
This figure may well have been higher, as organisations could be unwilling to admit that they have been hit by ransomware.
Others may be unaware that they’ve been attacked. An end user may have clicked on something within an email, been victim of a drive-by download from a website and their files have been encrypted, however they’ve not told the IT team, thinking that they can possibly recover the files from backup.
The same survey put the median cost of a ransomeware attack at £100k. This is not just the amount that organisations pay cybercriminals to get their data back. This includes:
- Cost of consultants brought in to understand:
- what has gone wrong
- how to prevent this happening again
- Loss of revenue while a website or server was down (particularly e-commerce organisations)
77% of ransomware victims were running up to date endpoint protection. However traditional endpoint protection only protects against 5% of threats. Having a list of updated definitions no longer keeps you safe against the latest threats.
It was in 2017 that the threat posed by ransomware really became recognised, starting with the WannaCry attack in May. Until this point, attacks had been financially damaging, but with Wannacry, the persoanl, human impact became very real.
Cybercriminals made use of the EternalBlue exploit, which targetted an SMB vulnerability within Windows XP and Windows 7 computers and allowed malware to traverse the network.
The cybercriminals used social engineering techniques, demanding money, to a tight deadline, in a bitcoin wallet.
The NHS sector in the UK, including hospitals and GP surgeries, was significantly affected. A&E departments were unable to admit patients and operations were cancelled.
Similar to Wannacry, however No Petya then went on to attack the master boot record of the computer’s operating system, encrypting the entire hard drive. This prevented the computer from rebooting, and this message was displayed.
Exposure to malware of this type is widespread. Data readily available online from SHODAN reveals the extent of devices exposed to the internet with SMB ports open.
1992 saw 1,500 unique samples of malware. Today, we’re seeing over 400,000 new samples daily, with over 700,000,000 unique samples recorded in the SophosLabs, driven by automated malware polymorphism.
Polymorphic malware is where signature based detection struggles to keep up. Take the case of a server that has been infected as a result of a botnet and is dishing out malware. It’s been infected and is owned by the cybercriminal.
It could be in an innocuous website that people go to on a regular basis to download files and data, eg streaming video or audio or maybe just downloading driver files.
The unsuspecting victim goes to the web server that's been affected with malware and requests a file. The file may look like the file they've requested but it's also been infected and it appears identical, with the exception of the last couple of characters.
The web server is dishing out unique malware every time a request is made. If we're using traditional Endpoint security to detect and block bad stuff, the original copy of file.exe, which was spotted as being malicious would be updated by virus definition to that endpoint security. However if the user made the same request to the same server, and receives what looks like the same file, it is actually unique, so traditional endpoint security would not spot that, and there would not be an ID file which would prevent that from coming down, until it had been detected as being malicious.
Cyber criminals are very good at using Cloud to carry out illegal activity.
Satan, for example, is a current online ransomware variant, and there are many more.
Cyber criminals have a created a whole ecosystem - they want to make it very easy for customers to get access to their wares. Some of these sites will provide SLAs to their customers. Anyone with a stolen credit card or bitcoins who decides they want to become a cybercriminal can get access to these resources. They don’t need to be a cyber genius, know how to code or even be particularly technical.
Examples of targeted attacks are all too common. The British Airways attack is a good example of how a supply chain can become infected. In this case, the mobile app - or the organisation that wrote the mobile app - saw their code attacked. As a result, confidential customer information including credit card details were compromised.
Information is still emerging about the Marriott attack in November. Worryingly, the malware inside the Marriott system is believed to have been there since 2014, demonstrating the extent of the dwell time - the amount of time that cybercriminals are happy to wait and quietly gather information, exfiltrating information out of the organisation.
Cybercriminals are ultimately after data to sell it on the dark Web. Typically credit card details for an individual card can be sold for about $8 on the black market.
GDPR should be front of mind and part of an organisation's process when designing systems with security in mind. It's not clear at the moment how much BA and and potentially Marriott might be fined under GDPR, but there could well be consequences for these organisations as a result of the breaches suffered.
It’s important to note that the GDPR is not a tool with which to beat organisations. There are good examples of where organisations have fallen victim to a breach but they've had systems and tools in place. The ICO want organisations to have an interest and an inclination to try and be compliant with GDPR wherever possible, and to try to reduce the risk.
Too Many Vendors, Too Many Dashboards
One of the biggest challenges we have is that we have so many vendors and so many dashboards, with almost too much technology, too many options and too much technology to manage. It can be overwhelming to identify gaps in an organisation and it's something that Sophos are trying to address, reducing the number of dashboards to keep your data safe.
Visibility & Detection
Blind spots make it difficult to understand:
- What is happening
- Where to go next
- How malware got into the organisation
- How to be sure that an attack is definitely over
Analysis & Investigation
IT teams within organisations often don't have individuals that are focused on cybersecurity. Cybersecurity can be just part of a wider IT team that also look after the website, laptops, configuring phones for staff pushing out new versions of applications or patching of endpoint. Cybersecurity is just one piece of the puzzle for organisations who don't necessarily have the luxury of having a team to analyse systems.
Without specialists within your organisation, focusing on response can be overwhelming.
Difficult to Use
EDR solutions can be difficult to use, complex to operate and rely heavily on expert security analysts - some of whom can command six figure salaries, so not something within the budget of all organisations.
Some EDR systems provide fantastic information about bad stuff happening but don't provide information about how to respond, so it's more after the event - you’re then required as an individual or a team to go and use third party tools and solutions to do something with the information that you've been provided with.
Some EDR solutions can be very expensive and very time consuming. They're great if you know how to use the comprehensive systems that exist, but unfortunately, going back to the issue of resources, organisations do not have the luxury of having people who know how to configure and maintain a detailed solution.
Common concerns from organisations who are or who have been a victim of cybercrime include:
- Am I under attack?
- Is the threat over?
- What is this file?
- Has the attack spread?
- Are we cout of compliance?
- Does it exist anywhere else?
- What should I prioritise?
- How shoudl I respond?
Intercept X with EDR aims to address these questions - often categorised as the "who, what, where, when, how" type questions.
Features and Benefits
- EDR starts with the strongest protection
- Add expertise, not headcount
- Guided incident response
Intercept X is a top rated endpoint protection platform which uses intelligent deep learning, a particular flavour of machine learning technology. Machine learning, or AI, is all around us and is the buzzword of the industry. Any next gen Endpoint vendor should be using some sort of artificial intelligence and machine learning. Sophos believe that their deep learning mathematical algorithms and training model, put together with DARPA in the US, is the best of breed.
Consolidating Protection and EDR into a Single Solution
Taking these two components, Sophos has created Intercept X Advanced with EDR.
Intercept X is already stopping a lot of the threats out there, whether that's ransomware, zero day attacks or attacks using vulnerabilities which exist within software.
EDR is focusing on the top 3% - which hasn't been postively identified as 100% malicious. It hasn't been convicted by Intercept X - it looks potentially suspicious but rather than cause problems with false positives, instead the EDR platform alerts and reports it.
It lightens the EDR workload, as a product like Intercept X stops a lot of the bad stuff on the Endpoint before the EDR gets a look at ita
Resources are optimised by reducing this noise and making the data presented by the EDR platform a lot more manageable.
In a recent survey into barriers to EDR adoption, over 40% cited staff knowledge. A lot of money can be spent on on an EDR platform, however people are still needed to manage it.
Sophos are trying to address these concerns by developing a system that's a lot more comprehensive, intuitive and easy to manage.
Intercept X aims to replicate the capabilities associated with hard to find analysts.
The screen shot shows a list of threat cases. Intercept X has seen something that is potentially malicious and wants to report that information so action can be taken.
This test environment contains only 20 or so computers, with high, medium and low priorities - however in a large organisation this could become very noisy, very quickly. (In January 2019, Intercept X will be updated, adding a threat score for better workload prioritisation.)
The list of high priority threat cases have been identified - these can be filtered to look for certain machines and certain users.
Using a Cryptoguard example: clicking on this you can see some information about the attack. This summary gives high level information about the:
- files which were potentially at risk from a GDPR perspective
You can see that the root cause, and that the beacon point (at which point Intercept X committed this as being potentially malicious) was when SophosTester.exe ran. This is a test application, but this could have been easily have been malware. We can see what the action was, and what the outcome was - in this case it was cleaned.
Intercept X Advanced has the option to create a forensic snapshot of a computer. Perhaps you're wanting to use the EDR platform to do some reactive analysis of a computer - for instance if the end user has flagged concerns that there’s something not quite right about the computer. A forensic snapshot can be created, which will create a database on the endpoint of all the processes which are running on the computer and the history that the endpoint has recorded. This can be analysed in-house, or if you’re utilising Managed Services from Chess, by their engineers.
It can also be used as part of a Penetration Test, for example if a user in an organisation has fallen victim to a phishing attack or a phishing simulation test. An EDR snapshot on the machine can be created, based on a test that has been failed, or if there's some malware running on a computer.
Clicking on a file, this is a Sophos tester, so it’s easily recognised by Sophos labs.
Let’s say for a moment that this was a process that wasn't recognised, and that it was potentially malware.
Intercept X hasn’t stopped it, as it isn’t definitely committed as bad, but we can see some potentially malicious events going on as part of an attack.
The Machine Learning Analysis an be accessed, by clicking “Request Latest Inteligence”. This process takes about two minutes, sending the file off to Sophos Labs. (All files are analysed in memory, never written to disc and the datacentre is here in the UK.)
The Machine Learning Analysis includes really useful attributes that help either the end user customer or the support provider, if you’re buying in services. For example, if a file contains additional “packers”, which are essentially process or code within an application which then calls or writes additional applications, this is bad practice for software and typically is reprentative of files of malicious intent. Attributes identified could point to the file being malicious.
We can look at code similarities - Cyber criminals are using clever tools to essentially rewrite malware by changing some small, insignificant detail in the file code which gives it a new file hash and makes it appear unique to Endpoint security. In this case we can see how similar it is to another version. What’s quite useful is that it also has some similariies to known bad stuff identified by Sophos Labs. If this number was higher and Sophostester.exe was malicious, then we could start to build an idea of whether this partciluar process should be trusted or not.
We also have some information about the field path and the run location of the application - again, whether or not files should be running from this location tells us whether or not this is should be a trusted application or not.
We can also do a “Clean & Block”, removing and blacklisting instances from the computer - for example if we become victims of a phsishing attack and we’re receiving multiple emails within a short space of time to multiple users. We can also ask the computer which other computers within the organistion currently have this piece of malware on it.
From a compliance point of view, this is really useful for demonstrating that you have invested in the tools neccessary to hunt your estate for potentially malicious code, if you are a victim; but it also gives you the tools, should you need them, to really report in detail what has happened as a result of an attack.
Suggested Next Steps
Based on what's been revealed, the next steps are created. Sophos have just added in a “Device Isolation” feature. If you switch it on, and the endpoint identifies a device as having malware, the heartbeat status turns to red. The computer will be blocked from accessing the network during that time. It's important to note that there's wireless access with Sophos Central and XG firewall. Sophos are essentially getting into the network stack of the computer and temporarily preventing access to the network and other systems.
A Threat Case can be resolved - eg closed, and notes added notes to say what the outcome was. From a compliance point of view, this gives you a process to look back on, with historical data.
This will help answer the tough questions about an incident
- Understand the scope and impact
- Detect attacks that may have gone unnoticed
- Search for indicator of compromise across the network (estate hunting)
- Prioritise events for further investigation
- Analyse files to determine if they are a threat or potentially unwanted
- Confidently report on your security posture at any given moment
An analyst identifies an incident, eg “Dropper.exe”, which is being listed in the EDR platform as a suspicious event.
We can see that Dropper.exe distributed some malware, which was blocked.
We can determine where else on the network Dropper.exe exists, and create a threat case for any other machines infected with Dropper.exe, eg.a user that’s received a phishing email might have opened up that email on multiple devices within the organistion.
We can request details from Sophos labs - in which case we click on the blue button to request threat intelligence from Sophos Labs on Dropper.exe, analysing the code using our Deep Learning to identify whether the file is malicious.
We can remediate the threat using our Clean and Block technology, which will remove the threat from this machine and any other machines on which it exists.
Third Party Validation
The Threat Landscape
For more information, download the SophosLabs 2019 Threat Report