the Presentation
Download
Report
Transcript the Presentation
Ransomware, Phishing and APTs
Avoid Falling Victim to These Cyber Threats
It’s in the news...
Ransomware Discoveries
LockDroid
KeRanger
CryptoApp
PayCrypt
Encryptor RaaS
XRTN
Troldesh
Gpcoder
2005
-
Reveton
2012
Q1
Q2
Kovter
Q3
Browlock
Q1
Q4
Linkup
Q2
Locky
2016
2015
Q3
Slocker
Q1
Q4
Q2
Q3
Cryptolocker2015
CTB-Locker/Citron
Synclocker
Ransom32
Maboua OSX POC
Pacman
Virlock
Q4
Dumb
Simplocker
Power Worm
Pclock
DMA-Locker
Threat Finder
Hidden Tear
ORX-Locker
Vipasana
Umbrecrypt
LowLevel404
2014
Hi Buddy
Hydracrypt
CryptInfinite
TeslaCrypt
Onion
2013
Unix.Ransomcrypt
BandarChor
TorrentLocker
Nymaim
Urausy
Radamant
Cryptvault
Zerolocker
Cryptowall
VaultCrypt
Tox
Coinvault
Job Cryptor
Gomasom
Chimera Locker
Q1
73v3n
CryptoJocker
Nanolocker
LeChiffre
Magic
Ginx
Indiscriminate
Anyone’s money will do just fine!
Web based attacks are wide ranging
• From individuals being targeted all the way up to more strategic
targets…
• Use multiple attack vectors
Its high impact!
It’s not just your money that’s at stake!
Lost revenues?
It could also damage your company’s reputation…
And workers jobs could be on the line if the demands are high
enough.
What will the next morph bring?
Does your payment really mean you are free and clear?
• How long before we see Ransomware payments as temporary?
• Will one payment unlock you forever?
• When will ransomware morph into “Protection ware?”
Security Threats are Common
During the past year
34% of organizations had an email phishing attack successfully infiltrate their network
30% of organizations had one or more endpoints infected with ransomware
29% of organizations had malware infiltrate through an unknown source
17% of organizations had sensitive/confidential info leaked through email
14% of organizations had an email spearphishing attack successfully infect one or more senior
executives’ computers
12% of organizations were successfully infiltrated by a drive-by attack from employee Web surfing
11% of organizations were victims of a CEO Fraud/Business Email Compromise Attack
Only 27% of organizations did not experience a security attack during the past 12 months
©2016 Osterman Research, Inc.
Ransomware, Malware and Hacking are
Common
One in nine
organizations surveyed
has been infiltrated by
ransomware, malware
or hacking because an
employee has clicked
on a phishing link or
attachment.
©2016 Osterman Research, Inc.
What are Decision Makers Most Concerned
About?
Decision makers
are most
concerned about
malware
infiltration,
phishing and
ransomware.
©2016 Osterman Research, Inc.
Many Tools are Not Solving the Problem
61% of organizations report that Web-based threats blocked by their
security infrastructure are staying the same or getting worse
53% of organizations report that ransomware blocked by their
security infrastructure is staying the same or getting worse
51% of organizations report that the percentage of malware blocked
by their security infrastructure is staying the same or getting worse
©2016 Osterman Research, Inc.
With attacks increasing in sophistication...
What happens when an attack includes multiple
threat vectors and threats across all deployment
surfaces?
Multi-vector attacks
1. Start with automatic reconnaissance
2. Gain access to credentials
3. Use credentials for back door entry
4. Launch spear-phishing campaign
5. Install APT/Ransomware
6. Damage/Deface/Steal Data
7. Demand Ransom
Multi Vector Attacks - Reconnaissance + Credentials
1. Reconnaissance
2. Access to
Credentials / Data
Identity
Credentials
Data…
3. Use Credentials
for Backdoor
Access
4. APT installation
5. Damage, Deface…
6. Spear Phishing
CRM
Web App
Exchange
7. Remote Users &
Ransom…
Multi Vector Attacks – Credentials -> Access -> Installation of APT
1. Reconnaissance
2. Access to
Credentials / Data
UN: abcd
PW: #sdf45
4. APT installation
APT
CRM
Web App
3. Use Credentials
for Backdoor
Access
Exchange
Deface Websites
5. Damage, Deface…
Exfiltrate sensitive data
6. Spear Phishing
7. Remote Users &
Ransom…
Multi Vector Attacks – Spear Phishing
1. Reconnaissance
@ Earnings Call!
2. Access to
Credentials / Data
CEO
CEO
!
AP
AP
Sally,
Please urgently send $50,000
to ‘Big Corp’
ACME Bank Corp
CRM
Web App
Routing# 3445886846999
Exchange
AC# 5487 8798 8765 0966
Tommy (CEO)
Credentials
+
3. Use Credentials
for Backdoor
Access
4. APT installation
5. Damage, Deface…
6. Spear Phishing
7. Remote Users &
Ransom…
Multi Vector Attacks – Remote Users - Ransomware
Remote /
Mobile Users
$
Coffee shops
/ Airports
1. Reconnaissance
2. Access to
Credentials / Data
$$
3. Use Credentials
for Backdoor
Access
4. APT installation
5. Damage, Deface…
6. Spear Phishing
CRM
Web App
Exchange
7. Remote Users &
Ransom…
Multi Vector Attacks – Migration to Cloud
SaaS
Cloud Security
Office365
CRM
Public Cloud
Cloud Firewall Cloud WAF Web App
CRM
Web App
Exchange
Cloud providers are responsible for cloud security.
Customers are responsible for security in the cloud!
What we just learned
Any User
1 Threat Vectors
Any App
Any Platform
2 Threats
Any Cloud
From Any Where
3 Platform Surfaces
End-to-end Security and Data Protection
From Barracuda Networks
End-to-end Security and Data Protection
Detect
Prevent
Recover
Detect: The Barracuda Email Threat Scanner
Cloud service that scans O365 mailboxes
Find advanced sleeping threats
Identifies owners of said threats
Provides detailed reports and
recommendations
Free
Detect: Barracuda Vulnerability Manager
Scan for web
application
vulnerabilities across
entire website
Detailed vulnerability
scan reports
Vulnerability Scan
BVM
WAF Configuration
& Profiles
Integration with
Barracuda Web
Application Firewall
Free
Web Users
Applications
Prevent Spyware: Barracuda Web Security
Gateway
Spyware could be picked up by mobile / remote workers and
transferred to the corporate network
The Web Security Gateway will detect and prevent all outbound
activity until remediation
Block
All Outbound
Communication
Prevent Malware: Advanced Threat
Detection
Full system emulation sandbox
Signatures
Virus Protection
Malware protection
IP reputation
Heuristics (static analysis)
Sandboxing (dynamic analysis)
Safely open files to identify risks
Remote detonation of malicious
payload
Without compromising security at the
expense of user experience
Block
File or Email
Allow
File or Email
Prevent Malware: ATD in Action
Ransomware Outbreak
•
•
•
March 2016 saw 8 variants of Locky hitting the internet in various
mutations
ATD was able to Detect and Prevent 7 of the 8 variants through
the static analysis layers in < 1sec
That day an 8th version hit ATD … which was blocked by Dynamic
Analysis Layer in ~5minutes
Prevent Malware: ATD in Action
Open Source Virus False Positive – Opportunistic Hackers – Caught
•
•
•
August 2016 - a public domain antivirus vendor releases signature, blocks all word
docs of type .doc OLE –result security systems block all .doc files!!
Meanwhile hackers watch public domain and see this. Security vendors then
scramble to whitelist the .doc files.
Attackers see opportunity - send bulk malicious .doc files that will evade
defenses
Prevent Malware: ATD in Action
Despite the attack, ATD was able to detect and prevent any malicious .doc files making it through
Prevent Hacks: Barracuda Web Application
Firewall
Inbound inspection for
Layer 7 attacks
Outbound inspection to
protect against data theft via
blocking or data masking
Prevent Phishing: Link Protection
Continuously protects against malicious and typo-squatted links embedded in email
Recover Lost Data
Comprehensive, cloud-integrated Backup solution
Simple to deploy and easy to manage
“Time Machine” type Backup
Replaces multi-vendor piecemeal backup solutions
Contains damage to time between backups
Barracuda Focus Solutions
On-Premises
Azure, AWS Public Cloud
SaaS
Barracuda Essentials
Email Security Next-Gen Firewall
Email Security Next-Gen
Firewall
Archiving
PST Mgt.
Web
Application
Firewall
Archiving
Email Security
Archiving
Backup
PST Mgt.
Web
Security
Backup
Data protection to the rescue
Issue
• Infected by ransomware
• Unable to access data
Industrial Engineering
500 Employees
Resolution
• Didn’t even consider paying ransom
• Reverted to a point in time pre-infection via
Barracuda Backup
Barracuda Security
Any User
Secure all threat vectors and data
Any App
At all locations
Any Platform
Against all threats
Across all attack surfaces
Any Cloud
From Any Where
Thank You