Former CEO of Surfright (now Sophos' Director of Engineering) Mark Loman, presented Intercept X to the Dutch market at the Sophos Day Netherlands. This signatureless next-generation endpoint security solution delivers anti-ransomware, anti-exploit and anti-hacker features that will bring the game of IT security to a whole new level.
7. Exploits As a Service
Initial Request
Victims
Exploit Kit Customers Redirection
Malicious
Payloads
Stats
Landing Page
Tor
Exploit Kit Admin
Exploits
Payloads
Get Current Domain
Get Stats
Update payloads
Management Panel Malware Distribution
Servers
Gateway Servers
10. Known to Unknown
75% of malware inside an organization is unique to
that organization
Evolutionary Threat Trends
Large to Small Business
70% of all organizations reported a compromise in
the last 12 months.
Simple to Industrialized
As Malware-as-a-Service platforms evolve, payloads
are being monetized on the Dark Web with the same
market pressures we see govern any industry
Volume to Targeted
Exploit kits cause over 90% of all data breaches
Malware to Hacking
63% of data breaches involve stolen credentials
Everyone to Weakest
Average time to fix vulnerabilities is 193 days
Threats Targets
(Source: Sophos Labs)
(Source: NSS Labs)
(Source: WhiteHat Security)(Source: Verizon DBIR)
(Source: Sophos Labs)
(Source: FBI / InfoSec London)
14. Intercepting Exploits
Vulnerabilities vs Exploits vs Exploit Techniques
time
totalcount
vulnerabilities
public exploits
exploit
techniques
Prior knowledge of public attacks
(signatures / behaviors)
Patching
1,000s/yr
100s/yr
10s
15. Intercepting Exploits
Vulnerabilities vs Exploits vs Exploit Techniques
time
totalcount
vulnerabilities
public exploits
exploit
techniques
Prior knowledge of public attacks
(signatures / behaviors)
Patching
1,000s/yr
100s/yr
10s
100,000,000+
new malware each year
16. Heap Spray
Use after
Free
Stack Pivot ROP
Call OS
function
Ransomware
activity
PREPARATION TRIGGERING GAIN CONTROL CIRCUMVENT
(DEP)
POST
Exploit Techniques
Antivirus
Sophos Intercept X
• Most exploit-based attacks consist of 2 or more exploit techniques
• Exploit techniques do not change and are mandatory to exploit existing and future
software vulnerabilities
Intercepting Exploits
Blocking Exploit Techniques vs Antivirus
17. Example Code Execution Flow
time
01101101 01110010 00101110 00100000 01110010 01101111 01100010 01101111 01110100
00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101
System DLL
User Space
Kernel
Processor
System callAPI call
18. 01101101 01110010 00101110 00100000 01110010 01101111 01100010 01101111 01110100
00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101
time
User Space
System DLL
Kernel
Processor
Check File on Disk (signature check) when Process is created
No attention to machine code that called CreateProcess
System call (e.g. CreateProcess)API call
On Execute File Scanning
Antivirus
19. 01101101 01110010 00101110 00100000 01110010 01101111 01100010 01101111 01110100
00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101
timeDuring ROP attacks, stack contains no reliable data
Attacker has control over steps (stack), can manipulate defender
System DLL
User Space
Kernel
Processor
System callAPI call (VirtualProtect)
Stack-based ROP Mitigations
Microsoft EMET
20. 01101101 01110010 00101110 00100000 01110010 01101111 01100010 01101111 01110100
00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101
System DLL
User Space
Kernel
Processor
VirtualProtect
timeSoftware Stack and Hardware-traced Branch Analysis (manipulation resistant)
Leverages and repurposes a previously unused feature in mainstream Intel® processors
CreateProcess
Branch-based ROP Mitigations (Hardware Assisted)
Sophos Intercept X
21. Intercepting Exploit Techniques (Overview)
Stack Pivot
Stops abuse of the stack pointer
Stack Exec
Stops attacker’ code on the stack
Stack-based ROP Mitigations
Stops standard Return-Oriented Programming attacks
Branch-based ROP Mitigations (Hardware Assisted)
Stops advanced Return-Oriented Programming attacks
Import Address Table Filtering (IAF) (Hardware Assisted)
Stops attackers that lookup API addresses in the IAT
SEHOP
Protects against overwriting of the structured exception handler
Load Library
Prevents loading of libraries from UNC paths
Reflective DLL Injection
Prevents loading of a library from memory into a host process
Shellcode
Stops code execution in the presence of exploit shellcode
VBScript God Mode
Prevents abuse of VBScript in IE to execute malicious code
WoW64
Stops attacks that address 64-bit function from WoW64 (32-bit) process
Syscall
Stops attackers that attempt to bypass security hooks
Enforce Data Execution Prevention (DEP)
Prevents abuse of buffer overflows
Mandatory Address Space Layout Randomization (ASLR)
Prevents predictable code locations
Bottom Up ASLR
Improved code location randomization
Null Page (Null Dereference Protection)
Stops exploits that jump via page 0
Heap Spray Allocation
Pre-allocated common memory areas to block example attacks
Dynamic Heap Spray
Stops attacks that spray suspicious sequences on the heap
VTable Hijacking
Helps to stop attacks that exploit virtual tables in Adobe Flash Player
Hollow Process
Stops attacks that use legitimate processes to hide hostile code
DLL Hijacking
Gives priority to system libraries for downloaded applications
Application Lockdown
Stops logic-flaw attacks that bypass mitigations
Java Lockdown
Prevents attacks that abuse Java to launch Windows executables
AppLocker Bypass
Prevents regsvr32 from running remote scripts and code
22. Intercepting Ransomware
Monitor File Access
• If suspicious file
changes are detected,
file copies are created
Attack Detected
• Malicious process is
stopped and we
investigate the process
history
Rollback Initiated
• Original files restored
• Malicious files removed
Forensic Visibility
• User message
• Admin alert
• Root cause analysis
details available
24. Sophos Clean
Malware Removal. Vulnerability Assessment.
Works with existing AV
• Signatureless, on-demand scanner
• Does not need to be installed
• Shows what the others missed
• 30-Day Free License
Removes Threats
• Deep System Inspection
• Removes Malware Remnants
• Full Quarantine / Removal
• Effective Breach Remediation
On-Demand Assessment
• Identifies Risky Files / Processes
• Constantly Refreshed Database
• Provides Additional Confidence
• Command-Line Capable
25. Cloud Intelligence
Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions
Sophos Labs | 24x7x365, multi-continent operation |
URL Database | Malware Identities | File Look-up | Genotypes | Reputation | Behavioural Rules | APT Rules
Apps | Anti-Spam | Data Control | SophosID | Patches | Vulnerabilities | Sandboxing | API Everywhere
UTM/Next-Gen Firewall
Admin Self Service Partner| Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations
Wireless
Email
Web
Synchronized Encryption
Endpoint/Next-Gen Endpoint
Mobile
Server
Encryption
Sophos Central
In Cloud On Prem
Synchronized
Encryption
26. Synchronized Encryption: A New Paradigm in Data Protection
User Integrity App Integrity System Integrity
Encrypt Everything, Everywhere, Automatically
Synchronized with Endpoint Protection
“By 2019, 25% of security
spend will be driven by EU
data protection regulation
and privacy concerns.”
- IDC
28. Synchronized Security
Sophos Central
Cloud Intelligence
Sophos Labs
Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions
| 24x7x365, multi-continent operation |
URL Database | Malware Identities | File Look-up | Genotypes | Reputation | Behavioural Rules | APT Rules
Apps | Anti-Spam | Data Control | SophosID | Patches | Vulnerabilities | Sandboxing | API Everywhere
Admin Self Service Partner| Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations
Endpoint/Next-Gen Endpoint
Mobile
Server
Encryption
UTM/Next-Gen Firewall
Wireless
Email
Web
In Cloud On Prem
Editor's Notes
Anti-M Better, so threats more adv, coord
Virus/Sigs, Poly/Heuristics – Sandbox/Sleep
Malware to Hacking
Spray/Pray focus payload
Creds/Remote Access – focus approach
Like threats, security had to evolve
File scan, Heuristics, Limit Surface (Prevent)
Good, but reactive, focus history, known, defense
Move to proactive, unk, offense
Why? The move to hacking
What if legit creds, apps, systems…
You won a gift certificate
Sophisticated/Coordinated
Targets – 25-50, IT, Mumbail
India – Banking, IT (Bangalore)
When considering our product R&D strategies, it’s instructive to start with the trends that we see affecting information security. So here we have a list of what I consider to be some of the more influential forces. Let me spend just a few moments on each:
First, let’s acknowledge the megatrends: cloud, mobile, and IaaS (infrastructure as a service). The effects that we’re seeing as a result of these are the growth of new classes of security controls, such as CASB (cloud access security brokers, which attempts to mediate and secure access to the estimated 16,000 cloud services available today); EMM (enterprise mobility management, which increasingly attempts not only to manage, but also to secure our ever growing number of mobile computing devices); and IaaS (infrastructure as a service) specific solutions, which seek to address the “shared security model” of providers such as Amazon AWS and Microsoft Azure, wherein they pledge to secure the infrastructure, but leave it to their customers to secure their compute instances and their data. Overall, we see all of these as great opportunities, and as you’ll hear, we’re already offering some exciting solutions in each area with more to come.
Next, we have the tensions that have been brewing for months between the public and private sectors on the matter of encryption. While most of the headlines were captured by the battle between Apple and the FBI, any company that make use of encryption in their products (which is most every company that operated on the internet) is affected by this. First, as a leading vendor of encryption solutions, it was important to us to make it perfectly clear to our customers and partners that we would never introduce backdoors of any kind into our products, or otherwise compromise the integrity of the security of our products. We made this statement prominently available on our site at Sophos.com/nobackdoors. Second, we believe that some of the legislation that is being proposed and passed, such as the EU’s GDPR (general data protection regulation) will drive significant growth in data security as businesses seek to comply with customer data protection laws. In fact, the analyst firm IDC estimates that GDRP alone will drive $1.8B in security software investment by 2019.
IoT (the internet of things) is something that’s also been in the new a lot. Gartner estimates that we’ll see an estimated 6.4B connected devices in 2016 grow to over 20B by 2020. Most of these devices are wireless, creating enormous demands for additional wireless capacity and scalability, something that Bryan will be talking to you about a little later. But IoT also presents a massive new attack surface, and it’s not possible, or at least not straightforward, to protect these devices with any kind of client software. Instead, the security must come from the network, creating an opportunity for new kinds of IoT specific network security controls.
The lack of defender coordination describes a condition which has long been understood but never well addressed. It’s probably best understood in contrast: if we had perfect defender coordination, then the moment an attack was successfully used against a single victim, that victim would be able to share all of the salient details of the attack, and subsequent attacks of the same sort would be immediately identifiable and defendable. Clearly, we’re far from that. The reason is because, as an industry, we’ve historically lacked the ability to instantaneously share information. That was one of the key driving influences behind Synchronized Security – we wanted to provide our customers with a framework to effortlessly share security information, first within their enterprises, but ultimately across the entire population of Sophos protected customers as we continue to develop our analytics platform. I’ll be talking more about some interesting Synchronized Security use-cases later.
C-Level spear phishing, also known as Whaling has also been the news a lot this past year. The wireless networking company Ubiquiti disclosed last year that they fell victim to $46.7M in CEO wire fraud last year, and the FBI estimates that the total exposure has been over $2.3B over the past 3 years. We see this as an opportunity for better training, as well as better phishing security controls. In particular, we think that by applying analytics to the problem, beyond just traditional Bayesian filters, we can more effectively detect this kind of email threat.
The paradox of encryption describes the condition whereby the internet simultaneously becomes more secure as more and more of its traffic moves to encryption (SSL/TLS/HTTPS), and less secure because it becomes increasingly expensive and difficult to perform inspection on the encrypted content. In fact, some forms of encryption simply cannot be decrypted, even for legitimate security purposes such as content inspection. For this reason, we expect that there will need to be a collaboration between the network and the endpoints in order to continue to provide any measure of content inspection, and we think that our balanced product portfolio and our SyncSec strategy position us well for this.
Ransomware and Cryptoware describes a class of malware that holds files on a victim’s system hostage, seeking payment in the amount of hundreds or thousands of dollars to release the files from their encypted prisons. According to the Cyber Threat Alliance, Cryptowall, a single instance of cryptoware netted criminals in excess of $325M last year. To date, the best advice of the industry has been to update your AV software, don’t click on strange links or open unusual attachments, make sure you have good backups, and even just pay the ransom. While most of this is sound advice, it’s clear that the industry needs better solutions. We are about to introduce such a solution as part of our upcoming NGEP release, which John will be talking to you about shortly.
Common-mode failures refers to the fact that the entire internet is built on a common set of components, Linux, OpenSSL, bash, MySQL, redis, etc. and when there is an exploitable vulnerability in one of these components, the effects spread through the entire internet like wildfire. Even if a patch is immediately made available by the software vendor or the open-source project, it still requires that users patch, which is something that can take weeks or even months. During this window of exposure, these systems are sitting ducks, unless they have something else in place to mitigate the attacks. Again, we see this as a great opportunity to provide general exploit protection at the endpoint, which will be part of the Intercept product that John will talk about, as well as better exploit controls on the network through more comprehensive intrusion prevention signatures.
The Cybersecurity skills gap is the scarcity of skilled security professionals to help businesses deal with the ever-evolving threat landscape. According to Frost and Sullivan, 62% of 14,000 interview respondents stated that their organizations have too few information security professionals, up from 56% in 2013. It’s a situation where we must do more with less, and we think the best way to achieve that is to simplify security, which has long been a tenet of how design our products, and one of our company’s distinguishing traits.
Finally, on the positive side, we are observing that more and more organizations are beginning to take a risk-based approach to security. They are more systematically assessing their attack surfaces, calculating the business criticality of their systems, quantifying their risk, and designing their controls appropriately. It’s a welcome kind of maturation. And it’s also a major component of how we design our solutions.
#5 - 22K international victims @$3B in exposed losses – (IC3 – Internet Crime Complaint Center) https://www.ic3.gov/media/2016/160614.aspx
#9 – “62% of the survey respondents (14,000) stated that their organizations have too few information security professionals. This compares to 56% in the 2013 survey” https://www.isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/GISWS/FrostSullivan-(ISC)²-Global-Information-Security-Workforce-Study-2015.pdf
You cannot trust the breadcrumbs on the stack, normally traversed to determine origin; the stack is under control of the attacker who can mislead the defender.
Level of confidence is significantly increased by leveraging and repurposing a previously unused feature in mainstream Intel® processors.
Delivers manipulation resistant data from within the hardware. It’s like GPS data revealing the path an attacker has taken, all the way leading up to the malicious action.
Monitor for distinct changes in the file headers
Sophos Clean is a signatureless, on-demand malware scanner that's just 11 MB and does not need to be installed. You can run it from a USB flash drive, a cd/dvd, or from network attached storage, which is nice if malware is manipulating the installed antivirus software and its updates.
Joe’s notes on the synchronized security scenarios (for reference).
• Heartbeat first (now)
• Unknown AppID (soon)
• Kepler – adding application and system integrity from EP (soon)
• Shunning / lateral movement protection on endpoint/server (soon)
• Phishing protection - reputation system, training, adaptive security based on assessment results (future)
• Mobile devices as “continuous auth” solutions - using sensors for voice, image, fingerprinting, geolocation, gait measurement (way future)
Source for 25% of spend driven by data compliance source is IDC FutureScape: Worldwide IT Security Products and Services 2016 Predictions. Nov 2015. Doc # 259836