1

Lars Putteneers7 June 2015

SOPHOSStopping Tomorrow’s Attacks Today: a next-gen approach for advanced threats

2

Sophos Snapshot1985FOUNDEDOXFORD, UK

$450MIN FY15 BILLING(APPX.)

2,200EMPLOYEES(APPX.)

200,000+CUSTOMERS

100M+USERS

HQOXFORD, UK

90+%BEST IN CLASSRENEWAL RATES

15,000+CHANNEL PARTNERS

OEM PARTNERS:

KEY DEV CENTERSOFFICES

3

AT HOME AND ON THE MOVE

Mobile Control Endpoint SecuritySafeGuard Encryption

HEADQUARTERS

Endpoint SecuritySafeGuard Encryption

REMOTE OFFICE 1

NextGen Firewall

Secure Wi-Fi

Endpoint SecuritySafeGuard Encryption

Secure Wi-Fi

Secure VPN Client

Mobile Control

Reputation Data • Active Protection SophosLabs Correlated intelligence • Content Classification

Administration

Web Application Firewall

Secure Email Gateway

Secure Web Gateway

Mobile Control

Network Storage AntivirusServer Security

Guest Wi-Fi

UTMNextGen Firewall

Secure Web GatewaySecure Email Gateway

Web Application Firewall

REMOTE OFFICE 2

Secure Wi-Fi

Endpoint SecuritySafeGuard Encryption

Mobile Control

Secure VPN RED

Sophos Complete Security in an Enterprise

SOPHOS CLOUD

44

Tomorrow’s attacks

5

Anatomy of a ransomware attack

And gone

The ransomware will then delete itself leaving just the encrypted files and ransom notes behind.

Ransom demandA message appears on the user’s desktop, explaining how a ransom (often in the form of bitcoins) can be paid within a time frame of

e.g. 72 hours to enable decryption of the data with the private key that only the attacker’s system has access to.

Encryption of assetsCertain files are then encrypted on the local computer and on all accessible network drives with this public key. Automatic backups of

the Windows OS (shadow copies) are often deleted to prevent data recovery.

Contact with the command & control server of the attackerThe ransomware sends information about the infected computer to the C&C server and downloads an individual public key for this

computer.

Installation via an exploit kit or spam with an infected attachmentOnce installed the ransomware modifies the registry keys

6

Angler: an all-too-well-known exploit kit

• Grown in notoriety since mid 2014￮ The payload is stored in memory

and the disk file is deleted￮ Detects security products and

virtual machines￮ Ability to spread many

infections: banking Trojans, backdoor, rootkits, ransomware

• Easy to use￮ Doesn’t require any particular

technical competence￮ Available for a few thousand

USD on the Dark Web

7

Angler’s evolution into the dominant exploit kit

Sep 2014 Jan 2015 May 2015

8

• 350,000 new malware programs per day

• 70% of organisations reported a compromise in the last 12 months

• $500 billion WW damages

• Estimated to rise to $1.5 trillion by 2019

Another one bites the dust

99

The next-gen approach:Sophos CleanHitman ProSophos Sandstorm

10

Sophos Clean• All new business product• Removal complete part of Hitman Pro => standalone product

11

Should I Stay Or Should I Go

12

Bullet in the head

13

Hitman Pro• Product of Surfright• For consumer and business market• Signature less protection• Will come in Cloud and on premise solutions

14

Hitman Pro: Risk Reduction

15

Hitman Pro: Risk Reduction

16

Ransomware

Cryptowall costs users $325M in 2015￮ 2 out of 3 infections driven by

phishing attack￮ Delivered by drive by exploit kits￮ 100’s of thousands of victims world

wide

More variants – Locky and Samas￮ Now for MAC and Windows users

Targeting bigger Phish ￮ $17K payment from California

hospital

CryptoGuard

• Simple and Comprehensive• Universally prevents

spontaneous encryption of data

• Simple activation in Sophos Central

CRYPTOGUARD

CryptoGuard – Say Goodbye to Ransomware

17

CryptoGuard

• 1. monitors file system activity• 2. when file is opened-for-write, create just-in-time backup of

the file• 3. when the file is closed, compare contents• 4. when file is no longer a document, mark as suspicious• 5. if this happens on many files (3 or more), rollback files from

above backup, revoke write-access from process (or client IP) that did the changes

• 6. all modifications are tracked per process or per client-IP; so if a remote client modifies files, they are tracked, rolled back and blocked if needed

18

Hitman Pro: Exploit Mitigation

19

Hitman Pro: Exploit Mitigation

20

Hitman Pro: Exploit Mitigation

21

Hitman Pro: Exploit Mitigation

22

Hitman Pro: Safe Browsing

23

Hitman Pro: Safe Browsing

24

Hitman Pro: Removal Complete

25

Hitman Pro: Removal Complete

26

Sophos SandstormHow Sophos Sandstorm works

1. If the file has known malware it’s blocked immediately. If it’s otherwise suspicious, and hasn’t been seen before, it will be sent to the sandbox for further analysis. When web browsing, users see a patience message while they wait.

2. The file is detonated in the safe confines of the sandbox and monitored for malicious behaviour. A decision to allow or block the file will be sent to the security solution once the analysis is complete.

3. A detailed report is provided for each file analyzed.

Advanced Threat Defense Made Simple

Secure Web Gateway

Secure Email Gateway

Unified Threat Management

Next-GenFirewall

2727

Summary

28

TRADITION

AL MALW

ARE

Methods and techniques vary depending on device type and operating system (Windows, Mac, Linux/Unix variants, Android, iOS)

And Sophos Labs never stops innovating and assessing new techniques

ADVANCED THREATS

I just want to be your everything

Exposure prevention80% malicious URL blocking, malicious web script detection

download reputation

Pre-execution analytics and heuristics10% Generic matching using heuristics and

component level rules

Signatures5% Signature match of malware or

malware components (1-1)

Run-time behavior analytics

3% Behavior matching and runtime analytics Explo

it detection2%

29

More information

• Sophos whitepaper on how to stay protected from ransomwarehttps://www.sophos.com/en-us/medialibrary/Gated%20Assets/white%20papers/sophosransomwareprotectionwpna.pdf?la=en

• Sophos technical whitepaper on ransomwarehttps://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-current-state-of-ransomware.pdf?la=en

• Naked Security – regular stories on Locky and other ransomware attackshttps://nakedsecurity.sophos.com/

• IT Security DOs and DON'Tshttps://www.sophos.com/en-us/medialibrary/PDFs/employeetraining/sophosdosanddontshandbook.pdf?la=en

• Threatsaurushttps://www.sophos.com/en-us/medialibrary/PDFs/other/sophosthreatsaurusaz.pdf?la=en

• Sophos free toolshttps://www.sophos.com/fr-fr/products/free-tools.aspx

3030

Questions?

31© Sophos Ltd. All rights reserved.